Bugtraq mailing list archives

Re: mountd remote exploit?

From: morex () NIRVANA NET (morex .-)
Date: Tue, 29 Sep 1998 00:11:43 -0400


To my knowledge there are 3 different versions of the mountd remote
exploit going around. I found a bin on my shell server from a user and ran
it on a outdated box of my own and it did work. I have not seen the
source.. only thing bin. So I  do know there is a remote exploit going
around.

morex .-
http://morex.net
http://www.worldnetworks.net

On Mon, 28 Sep 1998, John Caldwell wrote:

This morning at about 2am, someone managed to get into my machine using
some type of mountd exploit. I was watching at the time, so they werent
able to do much damage, but it looks like they were able to nfs mount my
root drive remotely, even though its not listed in the /etc/exports.  I
was led to believe it was mountd by this:


Sep 28 02:35:15 harman mountd[263]: Unauthorized access by NFS client
xxx.xxx.xxx.xxx
Sep 28 02:35:15 harman syslogd: Cannot glue message parts together
Sep 28 02:35:15 harman mountd[263]: Blocked attempt of xxx.xxx.xxx.xxx to
mount ^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
Sep 28 02:35:15 harman
(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^
E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^
H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(
-^E^H(-^E^H(-^E^H(-


The guy had added a line to my /etc/passwd and inetd.conf files allowing
for easy root access, but didnt do much other damage.  I'm not very
familiar with mountd and I havent heard anything about remote exploits, so
i thought i'd post about it.


I couldnt find a current contact for the linux nfs package, so thats why i
posted here first.

--
 -------------------------
| John Caldwell
| jcald () lake ml org
| http://www.lake.ml.org/
 -------------------------

Current thread:

Re: rpc.mountd vulnerabilities, (continued)
- - - Re: rpc.mountd vulnerabilities Olaf Kirch (Sep 30)
    - ISS Security Advisory: Snork X-Force (Sep 29)
    - Re: mountd- more info (sorry) John Caldwell (Sep 29)
    - Re: mountd- more info (sorry) Anthony C. Zboralski (Sep 30)
    - more rpc.mountd jason valentine (Sep 30)
    - Netscape Cache Exploit - source code Ken Williams (Sep 29)
    - Re: IRIX 6.2 passwordless accounts exploit? Kevin Hawkins (Sep 30)
    - Sun Security Bulletin #00176 joshua grubman (Sep 30)
    - Re: IRIX 6.2 passwordless accounts exploit? morex .- (Sep 28)
    - mountd remote exploit? John Caldwell (Sep 28)
    - Re: mountd remote exploit? morex .- (Sep 28)
    - Re: IRIX 6.2 passwordless accounts exploit? Charl Botha (Sep 29)
    - Re: IRIX 6.2 passwordless accounts exploit? Renaud Deraison (Sep 29)
    - rpc.mountd exploit Hudin Lucian (Sep 29)