Solaris rmmount Setuid Files Vulnerability

Solaris rmmount Setuid Files Vulnerability

The rmmount utility fails to enforce suid mount flags on removable media allowing anyone with access to a console with a floppy or CD-ROM device to obtain root privileges.

The rmmount utility is a removable media mounter that is executed by the volume manager whenever a CD-ROM or floppy is inserted. The man page for rmmount states that "file systems mounted by rmmount are always mounted with the nosuid flag set, thereby disabling set-uid programs and access to block or character devices in that file system."

In fact this is wrong and all a user with access to the console and a floppy or CD-ROM device has to do to obtain root access is insert a floppy or CD-ROM with a suid root shell.

It appears this vulnerability was fixed in patches to 2.5 and 2.5.1, but reintroduced in Solaris 7.