This patch will allow you to to work around the HP-UX mountd security
hole.  To use this patch, you must first obtain version 7.2 the tcp
wrapper program from ftp.win.tue.nl in /pub/security.  Then, apply
this patch, edit the Makefile to define PROCESS_OPTIONS, build tcpd,
and install it as /etc/tcpd.

Then, edit the /etc/netnfsrc file, and change the START_MOUNTD line to:



START_MOUNTD=0

Then, add a line like this to /etc/inetd.conf, and run inetd -c:

rpc  dgram  udp  wait  root  /etc/tcpd   100005 1 /usr/etc/rpc.mountd -e

Then, create a file /etc/hosts.allow, and add a line like this:

rpc.mountd: ALL@@allhps: severity=debug: allowpriv

You should now be resistant to this exploitation program.
Unfortunately, you will only be able to run showmount as root from now
on.

David Mazieres
dm@das.harvard.edu



----------
diff -c tcp_wrappers_7.2.orig/options.c tcp_wrappers_7.2/options.c
*** tcp_wrappers_7.2.orig/options.c     Sun Jan  8 11:00:29 1995
--- tcp_wrappers_7.2/options.c  Sun Apr  2 22:45:44 1995
***************
*** 85,90 ****
--- 85,91 ----
  static void allow_option();          /* execute "allow" option */
  static void deny_option();           /* execute "deny" option */
  static void banners_option();                /* execute "banners path" option */
+ static void allowpriv_option();               /* execute "allowpriv" option */

  /* Structure of the options table. */



***************
*** 122,127 ****
--- 123,129 ----
      "allow", allow_option, USE_LAST,
      "deny", deny_option, USE_LAST,
      "banners", banners_option, NEED_ARG,
+     "allowpriv", allowpriv_option, USE_LAST | OPT_ARG,
      0,
  };

***************
*** 612,615 ****
--- 614,641 ----
       }
      }



      return (start ? (end[1] = 0, start) : cp);
+ }
+
+ static void allowpriv_option(value, request)
+ char   *value;
+ struct request_info *request;
+ {
+     struct sockaddr_in *sin;
+     char   *level;
+
+     if (value) {
+       level = split_at(value, '.');
+       deny_severity = level ?
+           severity_map(log_fac, value) | severity_map(log_sev, level) :
+           severity_map(log_sev, value);
+     }
+
+     sin = request->client->sin;
+     if (! sin || sin->sin_family != AF_INET)
+       tcpd_jump ("allowpriv_option: bad sockaddr_in");
+     if (htons (sin->sin_port) >= IPPORT_RESERVED) {
+         deny_mesg = "unpriv client port";
+       longjmp (tcpd_buf, AC_DENY);
+     }
+     longjmp(tcpd_buf, AC_PERMIT);
  }

diff -c tcp_wrappers_7.2.orig/refuse.c tcp_wrappers_7.2/refuse.c
*** tcp_wrappers_7.2.orig/refuse.c      Wed Dec 28 11:42:40 1994
--- tcp_wrappers_7.2/refuse.c   Sun Apr  2 22:44:16 1995
***************
*** 20,31 ****

  #include "tcpd.h"

  /* refuse - refuse request */

  void    refuse(request)
  struct request_info *request;
  {
!     syslog(deny_severity, "refused connect from %s", eval_client(request));
      clean_exit(request);
      /* NOTREACHED */
  }
--- 20,38 ----

  #include "tcpd.h"

+ char    *deny_mesg;


+
  /* refuse - refuse request */

  void    refuse(request)
  struct request_info *request;
  {
!     if (deny_mesg)
!       syslog(deny_severity, "refused connect from %s (%s)",
!           eval_client(request), deny_mesg);
!     else
!         syslog(deny_severity, "refused connect from %s",
!             eval_client(request));
      clean_exit(request);
      /* NOTREACHED */
  }
diff -c tcp_wrappers_7.2.orig/tcpd.h tcp_wrappers_7.2/tcpd.h


*** tcp_wrappers_7.2.orig/tcpd.h        Sun Jan  8 15:08:00 1995
--- tcp_wrappers_7.2/tcpd.h     Sun Apr  2 22:42:30 1995
***************
*** 84,89 ****
--- 84,90 ----
  extern char *hosts_deny_table;               /* for verification mode redirection */
  extern int hosts_access_verbose;     /* for verbose matching mode */
  extern int rfc931_timeout;           /* user lookup timeout */
+ extern char *deny_mesg;                       /* extra message when denying */

   /*
    * Routines for controlled initialization and update of request structure
