Bugtraq mailing list archives
Re: rpc.mountd vulnerabilities
From: morex () NIRVANA NET (morex .-)
Date: Tue, 29 Sep 1998 17:04:06 -0400
I was talking to someone on irc last night after I made my post about the mountd exploit and they said they had a exploit that would kill inetd. I did not get the stuff but I had him try it on 3 of my linux systems and it did work.. morex .- http://morex.net http://www.worldnetworks.net On Tue, 29 Sep 1998, tiago wrote:
Greetings. Here is a summary of the vulnerabilities I was able to find and reproduce on rpc.mountd(nfs-server-2.2beta29-5), under a x86/linux slackware distribution. It is possible to overflow a dynamic variable on rpc.mountd procedure #1. This variable is 1024bytes in length. The overflow is trivial to exploit by creating a new line in /etc/passwd, .rhosts files, etc.. I was able to make a workable exploit last night in 40 minutes. The attacker may read/write/execute any file on the target machine, remotely and with root priviledges. An illy created exploit which fails to get the EIP offset right, will result on rpc.mountd to crash/core dump and the service beind terminated, thus resulting in a denial of service(unless rpc.mountd is running through inetd - not default). While looking at the overflow problem it seems i stumbled into another bug. Trying to access a procedure call between 8 and 225, it seems to crash/core dump rpc.mountd, thus resulting in a denial of service. Feel free to mail me if you desire more detailed information on this matter. I will not publicly post the exploit, neither release it to anyone, so please avoid mailing to request that. I will send the diffs of a patch in one or two days. I did not contact the maintainer of the distribution. Anyone would please do so? -------------------------------------------------------------------------- Tiago F. P. Rodrigues (BlindPoet) e-mail: tiagor () solsuni pt Tecnico de sistemas telef : 0931 9034875 SOLSUNI, SA --------------------------------------------------------------------------
Current thread:
- Re: 1+2=3, +++ATH0=Old school DoS, (continued)
- Re: 1+2=3, +++ATH0=Old school DoS Adrian Gonzalez (Sep 28)
- Modem ATH0 thread route () RESENTMENT INFONEXUS COM (Sep 28)
- IRIX 6.2 passwordless accounts exploit? Dan Stromberg (Sep 28)
- Re: IRIX 6.2 passwordless accounts exploit? D.A. Harris (Sep 28)
- Re: IRIX 6.2 passwordless accounts exploit? Eugene Bradley (Sep 28)
- Re: Solaris non-root login (was: IRIX 6.2 pass...) Richard Yates SPG (Sep 29)
- mountd- more info (sorry) John Caldwell (Sep 28)
- Bay Accelar 1000 series Steven Hearon (Sep 28)
- Re: mountd- more info (sorry) RHS Linux User (Sep 29)
- rpc.mountd vulnerabilities tiago (Sep 29)
- Re: rpc.mountd vulnerabilities morex .- (Sep 29)
- Snork exploit route () RESENTMENT INFONEXUS COM (Sep 29)
- Re: rpc.mountd vulnerabilities Alan Brown (Sep 29)
- IRIX Mail(1)/mailx(1) Security Issues SGI Security Coordinator (Sep 29)
- IRIX On-Line Customer Registration Vulnerabilities SGI Security Coordinator (Sep 29)
- IRIX mail(1)/rmail(1M)/sendmail(1M) Security Vulnerabilities SGI Security Coordinator (Sep 29)
- Re: rpc.mountd vulnerabilities Olaf Kirch (Sep 30)
- ISS Security Advisory: Snork X-Force (Sep 29)
- Re: mountd- more info (sorry) John Caldwell (Sep 29)
- Re: mountd- more info (sorry) Anthony C. Zboralski (Sep 30)
- more rpc.mountd jason valentine (Sep 30)