[12556] in bugtraq
Re: rpc.nfsd exploit code
daemon@ATHENA.MIT.EDU (Crispin Cowan)
Fri Nov 12 15:08:01 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <382B40EE.A0DEC6C0@cse.ogi.edu>
Date: Thu, 11 Nov 1999 22:19:27 +0000
Reply-To: crispin@CSE.OGI.EDU
From: Crispin Cowan <crispin@CSE.OGI.EDU>
X-To: Mariusz Marcinkiewicz <tmogg@ZIGZAG.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Mariusz Marcinkiewicz wrote:
> hi,
> patch was published so i can send you exploit code
We were unable to get this sploit to actually produce a root shell on an
unprotected nfsd. However, we were able to get it to produce a StackGuard
intrusion alert when we used it to attack the StackGuarded nfsd. Here's the
intrusion alert StackGuard dropped into syslog:
Nov 11 13:03:42 kryten rpc.nfsd[330]: Immunix type 1 Canary[0] = aff0d died with
cadaver fff60661 in procedure
fh_compose.
Here's the StackGuarded nfsd:
http://immunix.org/StackGuard/RH52/RPMS/nfs-server-2.2beta37-1_SG12.i386.rpm
Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
