HighCheck or Attack Name: nfsuid
Some NFS servers do not properly check the UID. Technically, because of improper masking with UIDs (a UID is 16 bit, and the value passed is 32 bits; the root check is performed on the 32-bit value before masking) it very easy to masquerade as root. An attacker can take advantage of the UID bug to masquerade as root and read and write root owned files.
Obtain a NFS patch from your vendor.
SunOS Patch ID# 100173-13 available at http://sunsolve.sun.com/sunsolve/pubpatches/patches.html.
For specific patch IDs, see the appropriate CERT Advisory listed in the References.
CERT Advisory CA-94.15, NFS Vulnerabilities, http://www.cert.org/advisories/CA-94.15.NFS.Vulnerabilities.html
CERT Advisory CA-94.02, Revised Patch for SunOS /usr/etc/rpc.mountd Vulnerability, http://www.cert.org/ftp/cert_advisories/CA-94:02.REVISED.SunOS.rpc.mountd.vulnerability
CERT Advisory CA-93.15, /usr/lib/sendmail, /bin/tar, and /dev/audio Vulnerabilities, http://www.cert.org/ftp/cert_advisories/CA-93:15.SunOS.and.Solaris.vulnerabilities
CERT Advisory CA-92.15, Multiple SunOS Vulnerabilities Patched, http://www.cert.org/ftp/cert_advisories/CA-92:15.Multiple.SunOS.vulnerabilities.patched
CERT Advisory CA-91.21, SunOS NFS Jumbo and fsirand Patches, http://www.cert.org/ftp/cert_advisories/CA-91:21.SunOS.NFS.Jumbo.and.fsirand
