Source: cve@mitre.org
rmmount in SunOS 5.7 may mount file systems without the nosuid flag set, contrary to the documentation and its use in previous versions of SunOS, which could allow local users with physical access to gain root privileges by mounting a floppy or CD-ROM that contains a setuid program and running volcheck, when the file systems do not have the nosuid option specified in rmmount.conf.
SunOS 5.7 systems are vulnerable to a local privilege escalation via the rmmount utility, allowing attackers with physical access to gain root access. This vulnerability stems from a configuration issue where file systems mounted by rmmount may not have the nosuid flag set, enabling the execution of setuid programs from removable media, potentially leading to complete system compromise.
Step 1: Physical Access & Media Preparation: The attacker gains physical access to the vulnerable SunOS 5.7 system and prepares a removable media (e.g., floppy disk, CD-ROM). Step 2: Payload Delivery: The attacker places a malicious setuid program (e.g., a setuid shell or a program designed to escalate privileges) onto the removable media. Step 3: Media Insertion & Mounting: The attacker inserts the prepared media into the target system. Step 4: rmmount Execution: The system, through user interaction or automated processes (e.g., volcheck), invokes rmmount to mount the file system on the removable media. Step 5: Vulnerability Trigger: Because rmmount fails to set the nosuid flag, the setuid program on the mounted media is executable. Step 6: Privilege Escalation: The attacker executes the setuid program, which then runs with root privileges, granting the attacker full control of the system.
The root cause lies in the rmmount utility's failure to consistently enforce the nosuid mount option for file systems mounted from removable media (floppy disks, CD-ROMs). This option, when enabled, prevents the execution of setuid/setgid programs on the mounted file system, mitigating privilege escalation attacks. The documentation and behavior in prior SunOS versions indicated that rmmount should have set nosuid by default, or at least provided a configuration option to do so. The flaw is a configuration oversight or a bug in the configuration parsing logic within rmmount or related configuration files (e.g., rmmount.conf), which fails to correctly apply the nosuid flag. This allows an attacker to insert a malicious setuid program onto a removable media, mount it, and execute the program, gaining elevated privileges.
This vulnerability is not directly associated with specific APT groups due to its age and the nature of the attack. However, any attacker with physical access could exploit it. It is unlikely to be in the CISA KEV catalog due to its age and the low likelihood of active exploitation. However, the potential impact (complete system compromise) makes it a high-priority vulnerability for legacy systems.
Monitor system logs for rmmount activity, especially related to the mounting of removable media.
Inspect the mount options of mounted file systems using the mount command. Look for file systems mounted without the nosuid option.
Analyze the contents of rmmount.conf (if it exists) to verify the intended mount options.
Monitor for the execution of setuid programs from removable media.
Examine system logs for unusual activity following the mounting of removable media, such as the execution of unexpected binaries.
Ensure that the nosuid option is enabled for all file systems mounted via rmmount. This might involve modifying the rmmount.conf file or other configuration files related to removable media mounting.
Upgrade to a supported version of SunOS or a more modern operating system that addresses this vulnerability.
Restrict physical access to the system to prevent unauthorized media insertion.
Implement file system integrity monitoring to detect unauthorized changes to system binaries.
Regularly review and update system configurations to ensure security best practices are followed.