• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Solaris rmmount Setuid Files Vulnerability

The rmmount utility fails to enforce suid mount flags on removable media allowing anyone with access to a console with a floppy or CD-ROM device to obtain root privileges.

The rmmount utility is a removable media mounter that is executed by the volume manager whenever a CD-ROM or floppy is inserted. The man page for rmmount states that "file systems mounted by rmmount are always mounted with the nosuid flag set, thereby disabling set-uid programs and access to block or character devices in that file system."

In fact this is wrong and all a user with access to the console and a floppy or CD-ROM device has to do to obtain root access is insert a floppy or CD-ROM with a suid root shell.

It appears this vulnerability was fixed in patches to 2.5 and 2.5.1, but reintroduced in Solaris 7.