NFS on SunOS 4.1 through 4.1.2 ignores the high order 16 bits in a 32 bit UID, which allows a local user to gain root access if the lower 16 bits are set to 0, as fixed by the NFS jumbo patch upgrade.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Sunos | Sun | 4.1 (including) | 4.1 (including) |
| Sunos | Sun | 4.1.1 (including) | 4.1.1 (including) |
| Sunos | Sun | 4.1.2 (including) | 4.1.2 (including) |
References
- http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll\u0026doc=secbull/117\u0026type=0\u0026nav=sec.sba
- http://www.cert.org/advisories/CA-1992-15.html
- http://www.securityfocus.com/bid/47
- https://exchange.xforce.ibmcloud.com/vulnerabilities/82
- http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll\u0026doc=secbull/117\u0026type=0\u0026nav=sec.sba
- http://www.cert.org/advisories/CA-1992-15.html
- http://www.securityfocus.com/bid/47
- https://exchange.xforce.ibmcloud.com/vulnerabilities/82