• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Solaris automount Vulnerability

The automounter daemon (automountd) answers file system mount and unmount requests from the autofs filesystem via RPC. A vulnerability has been discovered that may allow an unauthorized user to send arbitrary commands to the automounter daemons. These commands given automounter's SUID root status are executed as root.

This bug was origanally thought to be fixed by a Sun patch, however subsequent findings by a bugtraq poster discovered that the patch was insufficient. Moreover, it was initially thought that this bug was local only. Multiple parties later discovered the problem could be exploited remotely by leveraging the attack off a remote vulnerability in rpc.statd. In particular Solaris rpc.statd allows remote users to proxy RPC requests through itself so they appear to have come from the localhost.