Users login

Create an account »


Users login

Home » Security Advisories» FreeBSD » Unauthorized access via mount_union

Unauthorized access via mount_union

A bug was found in the vfsload(3) library call that affects all versions of FreeBSD from 2.0 through 2.2-CURRENT that caused a system vulnerability.

  • Vendor: FreeBSD
  • Vendor ID: FreeBSD-SA-96:09
  • Date: May 17, 1996


FreeBSD-SA-96:09 Security Advisory
Revised: Wed May 22 00:20:09 PDT 1996 FreeBSD, Inc.

Topic: unauthorized access via mount_union / mount_msdos (vfsload)

Category: core
Module: libc
Announced: 1996-05-17
Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current
Corrected: 1996-05-17 2.1-stable and 2.2-current sources
Source: FreeBSD native bug
FreeBSD only: yes



I. Background

A bug was found in the vfsload(3) library call that affects all
versions of FreeBSD from 2.0 through 2.2-CURRENT that caused a
system vulnerability. This problem is present in all source
code and binary distributions of FreeBSD version 2.x released
before 1996-05-18.

The FreeBSD project is aware of active exploits of this

All FreeBSD users are encouraged to use the workaround provided
until they can update their operating system to a version with
this vulnerability fixed.

II. Problem Description

The mount_union and mount_msdos programs invoke another system
utility in an insecure fashion while setuid root.

III. Impact

The problem could allow local users to gain unauthorized

This vulnerability can only be exploited by users with a valid
account on the local system.

IV. Solution(s)

Update operating system sources and binaries to FreeBSD 2.1-stable

or FreeBSD 2.2-current as distributed later than 1996-05-18 or
if you are currently running 2.1 or later, you may apply the
solution patches available at the URL listed at the top of this

The OS updates fix the actual problem in the vfsload(3) library
routine. Once the vfsload() library routine is fixed, the
workaround listed below is not necessary to solve this problem.
However, an additional stability problem has come to light
(ref. FreeBSD SA-96:10) so the FreeBSD project suggests
using both the setuid workaround and the solution for best results.

V. Workaround

This vulnerability can quickly and easily be limited by removing
the setuid permission bit from the mount_union and mount_msdos
program. This workaround will work for all versions of FreeBSD
affected by this problem.

As root, execute the command:

# chmod u-s /sbin/mount_union /sbin/mount_msdos

then verify that the setuid permissions of the files have been
removed. The permissions array should read "-r-xr-xr-x" as
shown here:

# ls -l /sbin/mount_union /sbin/mount_msdos
-r-xr-xr-x 1 root bin 151552 Apr 26 04:41 /sbin/mount_msdos
-r-xr-xr-x 1 root bin 53248 Apr 26 04:40 /sbin/mount_union

In addition to changing the permissions on the executable files,
if you have the source code installed, we suggest patching the
sources so that mount_union will not be installed with the
setuid bit set:

*** /usr/src/sbin/mount_union/Makefile Sun Nov 20 14:47:52 1994
--- /usr/src/sbin/mount_union/Makefile Fri May 17 10:36:09 1996
*** 8,14 ****
CFLAGS+= -I${.CURDIR}/../../sys -I${MOUNT}

- BINOWN= root
- BINMODE=4555
--- 8,11 ----
*** /usr/src/sbin/i386/mount_msdos/Makefile Sun Dec 4 00:01:24 1994
--- /usr/src/sbin/i386/mount_msdos/Makefile Fri May 17 11:31:57 1996
*** 6,14 ****
SRCS= mount_msdos.c getmntopts.c
MAN8= mount_msdos.8

- BINOWN= root
- BINMODE= 4555
MOUNT= ${.CURDIR}/../../mount
--- 6,11 ----

FreeBSD, Inc.

Web Site:
Confidential contacts: [email protected]
PGP Key:
Security notifications: [email protected]
Security public discussion: [email protected]

Notice: Any patches in this document may not apply cleanly due to
modifications caused by digital signature or mailer software.
Please reference the URL listed at the top of this document
for original copies of all patches if necessary.

Version: 2.6.2


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »