[12495] in bugtraq
undocumented bugs - nfsd
daemon@ATHENA.MIT.EDU (Mariusz Marcinkiewicz)
Tue Nov 9 12:34:23 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.20.9911091058140.12964-100000@mail.zigzag.pl>
Date: Tue, 9 Nov 1999 11:39:39 +0100
Reply-To: Mariusz Marcinkiewicz <tmogg@ZIGZAG.PL>
From: Mariusz Marcinkiewicz <tmogg@ZIGZAG.PL>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
this is voice of lam3rZ (.pl)
-- Introduction -
After reading lcamtuf's posts I decided write this one. Few months ago one
of my friends - digit - found bug in linux nfsd daemon. I made example
sploit about IV 1999. Now in distributions is new nfsd and nowhere was
information about security weaknes of old version!
-- Affected -
One time more affected distribution is RedHat 5.2 and Debian 2.1,
Slackware isn't vulnerable even there is *same* version of nfsd.
It's hard to say bug is local or remote, read description please.
-- Description -
Linux rpc.nfsd has real_path bug. When user has been trying access
directory with long path nfsd got SIGSEGV. There was buffer overflow which
we can exploit and get root privileges on server machine. I don't remember
all of details but I'll try write few words ;)
length of path is checked if user is trying make long-path-directory by
nfs but isn't checked when he is trying remove it. One way to exploit
this bug is creating long-path-dir localy and later rm it by nfs. In some
cases bug can be exploited remotely: if attacker has write access to
exported directories by ftpd.
that's all folks.
cya
__
Mariusz Marcinkiewicz | phone: +48 601 080 286 | mail: many@rast.lodz.pdi.net
System Administrator && Tech Support <tmogg@zigzag.pl> http://www.zigzag.pl
Security Advisor tmogg@hert.org http://www.hert.org [*] http://lam3rz.hack.pl
