[8081] in bugtraq
Re: rpc.mountd vulnerabilities
daemon@ATHENA.MIT.EDU (morex .-)
Tue Sep 29 18:56:13 1998
Date: Tue, 29 Sep 1998 17:04:06 -0400
Reply-To: "morex .-" <morex@NIRVANA.NET>
From: "morex .-" <morex@NIRVANA.NET>
X-To: tiago <tiagor@SOLSUNI.PT>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <3610AEED.7024F8BB@solsuni.pt>
I was talking to someone on irc last night after I made my post about the
mountd exploit and they said they had a exploit that would kill inetd.
I did not get the stuff but I had him try it on 3 of my linux systems and
it did work..
morex .-
http://morex.net
http://www.worldnetworks.net
On Tue, 29 Sep 1998, tiago wrote:
> Greetings.
>
> Here is a summary of the vulnerabilities I was able to find and
> reproduce on rpc.mountd(nfs-server-2.2beta29-5),
> under a x86/linux slackware distribution.
>
> It is possible to overflow a dynamic variable on rpc.mountd procedure
> #1. This variable is 1024bytes in length.
> The overflow is trivial to exploit by creating a new line in
> /etc/passwd, .rhosts files, etc.. I was able to make a
> workable exploit last night in 40 minutes. The attacker may
> read/write/execute any file on the target machine,
> remotely and with root priviledges. An illy created exploit which fails
> to get the EIP offset right, will result on
> rpc.mountd to crash/core dump and the service beind terminated, thus
> resulting in a denial of service(unless
> rpc.mountd is running through inetd - not default).
>
> While looking at the overflow problem it seems i stumbled into
> another bug. Trying to access a procedure call
> between 8 and 225, it seems to crash/core dump rpc.mountd, thus
> resulting in a denial of service.
>
> Feel free to mail me if you desire more detailed information on this
> matter. I will not publicly post the exploit,
> neither release it to anyone, so please avoid mailing to request that.
>
> I will send the diffs of a patch in one or two days.
> I did not contact the maintainer of the distribution. Anyone would
> please do so?
>
> --------------------------------------------------------------------------
> Tiago F. P. Rodrigues (BlindPoet) e-mail: tiagor@solsuni.pt
> Tecnico de sistemas telef : 0931 9034875
> SOLSUNI, SA
> --------------------------------------------------------------------------
>
