COMMAND

    rpc.mountd

SYSTEMS AFFECTED

    Some  distributions/versions  of   AIX,  Linux,  Ultrix,   NetBSD,
    OpenBSD, SunOS, Solaris, and probably many many more

PROBLEM

    Peter Deviant noticed that one can discover what files any machine
    contains so long as rpc.mountd on that machine has permissions  to
    read it.  rpc.mountd usually runs as root, so this is pottentially
    a severe vulnerability.

    Here's what  happens.   If you  try to  mount /etc/foobar  on (eg)
    Linux  box  (this   has  been  tested   with  Ultrix  also),   and
    /etc/foobar does not exist, you will get this error:

    DNA:~# mount slarti:/etc/foobar /mnt
    mount: slarti:/etc/foobar failed, reason given by server: No  such
    file or directory
    DNA:~#

    If the file does  exist, and I don't  have permission to read  it,
    you'll get this error:

    DNA:~# mount slarti:/etc/passwd /mnt
    mount: slarti:/etc/passwd failed, reason given by server: Permission denied
    DNA:~#

    Thus, by process  of elemination, one  can discover what  software
    packages are installed (shadow, etc), in many cases what  versions
    (such  as   sperl5.001),  and   thereby  discover   many  security
    vulnerabilities without ever having logged on to the machine,  and
    often only generating the log message:

    Aug 24 06:57:30 DNA mountd[7220]: Access by unknown NFS client 10.9.8.2.

    which  doesn't  emphasize  the  seriousnous  of this attack.  This
    problem also affected the Linux UNFSD rpc.mountd.

SOLUTION

    This was solved  in OpenBSD well  before 2.1 shipped.  The problem
    did exist in 2.0.

    A fixed release of the Linux Universal NFS Server is now available
    from:

        ftp://ftp.mathematik.th-darmstadt.de/pub/linux/okir