Subject: Caldera Security Advisory 96.04: Vulnerability in the mount program

Caldera Security Advisory SA-96.04
August 13th, 1996

Topic: Vulnerability in the mount program

I. Problem Description

	The mount utility is used to mount filesystem under Linux.  To gain
	access to resources it needs to support the "user" option, the mount
	program is installed as set-user-id root.  See mount(8) for details
	on the "user" option.

	A vulnerability in mount makes it possible to overflow an internal
	buffer whose value is under the control of the user of the mount
	program. If this buffer is overflowed with the appropriate data,
	a program such as a shell can be started. This program then runs
	with root permissions on the local machine.

	Exploitation scripts for mount have been found running on Linux
	systems for x86 hardware.

II. Impact

	On systems such as CND 1.0 and Red Hat 3.0.x that have mount installed
	set-user-id root (which is the default), an unprivileged user can
	obtain root access.

III. Solution / Workaround

	A simple workaround is to disable the SUID root bit:

		chmod 755 /bin/mount /bin/umount

	If you must run mount SUID root (e.g. to support the "user" option),
	place it in a group where it can only be executed by trusted users.

IV. References

	This and other Caldera security resources are located at:

	http://www.caldera.com/tech-ref/cnd-1.0/security/