Subject: Caldera Security Advisory 96.04: Vulnerability in the mount program Caldera Security Advisory SA-96.04 August 13th, 1996 Topic: Vulnerability in the mount program I. Problem Description The mount utility is used to mount filesystem under Linux. To gain access to resources it needs to support the "user" option, the mount program is installed as set-user-id root. See mount(8) for details on the "user" option. A vulnerability in mount makes it possible to overflow an internal buffer whose value is under the control of the user of the mount program. If this buffer is overflowed with the appropriate data, a program such as a shell can be started. This program then runs with root permissions on the local machine. Exploitation scripts for mount have been found running on Linux systems for x86 hardware. II. Impact On systems such as CND 1.0 and Red Hat 3.0.x that have mount installed set-user-id root (which is the default), an unprivileged user can obtain root access. III. Solution / Workaround A simple workaround is to disable the SUID root bit: chmod 755 /bin/mount /bin/umount If you must run mount SUID root (e.g. to support the "user" option), place it in a group where it can only be executed by trusted users. IV. References This and other Caldera security resources are located at: http://www.caldera.com/tech-ref/cnd-1.0/security/