NFS on SunOS 4.1 through 4.1.2 ignores the high order 16 bits in a 32 bit UID, which allows a local user to gain root access if the lower 16 bits are set to 0, as fixed by the NFS jumbo patch upgrade.
SunOS NFS implementations on versions 4.1 through 4.1.2 are vulnerable to a privilege escalation attack. A local user can gain root access by manipulating their user ID, exploiting a flaw in how the system handles 32-bit user IDs within the NFS protocol.
Step 1: User Account Creation: A local user account is created on the vulnerable SunOS system.
Step 2: UID Manipulation: The attacker modifies their user ID (UID) to a value where the lower 16 bits are 0 (e.g., 65536, which is 0x10000 in hex). This can be achieved through various methods, including direct modification of the /etc/passwd file or using a custom program.
Step 3: NFS Mount (Optional): If the attacker needs to access files via NFS, they may mount an NFS share on the vulnerable system (though this is not strictly necessary for exploitation).
Step 4: Accessing Files/Executing Commands: The attacker attempts to access files or execute commands. The NFS server, due to the UID truncation, interprets the attacker's UID as 0 (root).
Step 5: Privilege Escalation: The attacker successfully gains root privileges, allowing them to perform any action on the system.
The vulnerability stems from an integer overflow/truncation issue within the NFS server's user ID handling. The SunOS NFS implementation incorrectly processes 32-bit user IDs (UIDs). Specifically, it only considers the lower 16 bits of the UID when performing access control checks. A local user can craft a UID where the lower 16 bits are 0 (effectively a UID of 0, which is root) and the upper 16 bits are non-zero. When the NFS server receives this crafted UID, it truncates the upper bits, resulting in the server believing the user is root. This allows the attacker to bypass access controls and execute commands with elevated privileges.