EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH
               SECURITY ALERT - MINIX mount(0) and umount(0)
EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH



                       Security hole in:     mount(0)
					    umount(0)
                       Compromises: Denial of Service
                           Access to restricted files
                       Exploitable:           locally
                       Fix:                 See below
                            



Description:

There is a security concern in the mount(0) and umount(0) included with 
MINIX 1.7.2 which allows any local user with access to the program to 
potentially gain access to any filesystems accessible to your machine
and/or create a denial of service attack with mount(0).

Both mount(0) and umount(0) are suid root, which in most cases is
unneccesary. If you need users to be able to mount filesystems then 
there is unfortunately no fix.


Exploit Example:

	$ mount /dev/hd3a /mnt
	$ cd /mnt
	$ rm boot
	Remove boot? (mode = 644) y
	$ ls -al boot
	ls: boot: No such file or directory

Fix:

  1.	Mount your real root filesystem if you are using a ramdisk.
	Ex.
	# mount /dev/hd3a /mnt
	if you actually have your root partition mounted, cd to /bin and skip 
        to section 2.
        # cd /mnt/bin

  2.    # chmod -s mount
	# chmod -s umount

The included Makefile in /usr/src/commands/simple does not install mount(0) 
or umount(0) as suid, so no patch is needed.



	Report and Fix by Ghost in the Machine (bf130@freenet.uchsc.edu).
        Exploit idea from Chris F. (chris@whiterose.net)