[8068] in bugtraq
Re: mountd remote exploit?
daemon@ATHENA.MIT.EDU (morex .-)
Tue Sep 29 00:32:23 1998
Date: Tue, 29 Sep 1998 00:11:43 -0400
Reply-To: "morex .-" <morex@NIRVANA.NET>
From: "morex .-" <morex@NIRVANA.NET>
X-To: John Caldwell <jcald@LAKE.ML.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980928190459.15497B-100000@dollar>
To my knowledge there are 3 different versions of the mountd remote
exploit going around. I found a bin on my shell server from a user and ran
it on a outdated box of my own and it did work. I have not seen the
source.. only thing bin. So I do know there is a remote exploit going
around.
morex .-
http://morex.net
http://www.worldnetworks.net
On Mon, 28 Sep 1998, John Caldwell wrote:
> This morning at about 2am, someone managed to get into my machine using
> some type of mountd exploit. I was watching at the time, so they werent
> able to do much damage, but it looks like they were able to nfs mount my
> root drive remotely, even though its not listed in the /etc/exports. I
> was led to believe it was mountd by this:
>
>
> Sep 28 02:35:15 harman mountd[263]: Unauthorized access by NFS client
> xxx.xxx.xxx.xxx
> Sep 28 02:35:15 harman syslogd: Cannot glue message parts together
> Sep 28 02:35:15 harman mountd[263]: Blocked attempt of xxx.xxx.xxx.xxx to
> mount ^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> Sep 28 02:35:15 harman
> (-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^
> E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^
> H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(
> -^E^H(-^E^H(-^E^H(-
>
>
> The guy had added a line to my /etc/passwd and inetd.conf files allowing
> for easy root access, but didnt do much other damage. I'm not very
> familiar with mountd and I havent heard anything about remote exploits, so
> i thought i'd post about it.
>
>
> I couldnt find a current contact for the linux nfs package, so thats why i
> posted here first.
>
> --
> -------------------------
> | John Caldwell
> | jcald@lake.ml.org
> | http://www.lake.ml.org/
> -------------------------
>
