[VulnWatch] Reality of the rpc.mountd bug

From: tb0b (tbob_at_primitive-incision.co.uk)
Date: 07/14/03

  • Next message: KF: "[VulnWatch] SRT2003-07-07-0831 - IBM U2 UniVerse cci_dir creates hard links as root"
    To: <vulnwatch@vulnwatch.org>, <bugtraq@securityfocus.com>
    Date: Mon, 14 Jul 2003 22:23:11 +0100
    
    

    Yo hi,

    I was very saddened today to see the death of yet another privately
    exploited unpublished bug in the form of the off-by-one in the nfs-utils
    logging.
    However, I feel the severity of this has been overstated and that the claim
    that this can be used to execute abitrary code is slightly exaggerated.
    Without going into too much detail I'm just gonna drop the header from my
    original exploit for this.
    BTW, this exploit has been circluating on EFnet for I would say about nine
    months now so if you want it that badly (seen as it's almost totally
    useless) go beg the divine intervention. I'm sure he would be glad to help.

    /* mdx - x86/linux rpc.mountd remote root exploit.
     * By tb0b - January 2002
     *
     * FOR PRIVATE USE ONLY - NOT FOR PRIVATE OR PUBLIC DISTRIBUTION.
     *
     * As mountd crashes if a 900+ byte string is sent as a mount request, I do
    not
     * doubt for one second that this has been found and actively exploited by
     * others before now. It is not trivial to exploit, however.
     *
     * Some distributions of rpc.mountd will not segfault. This is due to the
    version
     * of gcc with which they are compiled. At the moment RH 7.0, 7.1 and 7.2
    are
     * known to use a version of gcc which does not correctly save ebp on the
    stack
     * and are therefore not supceptable to off-by-ones AT ALL.
     *
     * * The vulnerability is still present in the latest source distribution. *
     *
     * LSB of frame pointer is corruptable with a single NULL byte. The area
     * pointed to by this corrupted frame pointer is zero'd memory which we
    can't
     * control. However, we are able to pass an arbitary ponter to free via the
     * stack corruption and this can be used to place a pointer to shellcode in
     * the memory area referenced by the resulting esp and allows us to exploit
     * mountd with reasonable reliability.
     *
     * "Infatuated with this freedom, say the words and I could be them."
     */

    If you happen to be someone running RH 6.1/6.2 default rpc.mountd
    unfirewalled then you should probably upgrade, everyone running an linux
    more recent than this will be unaffected, as they will be by all stack-based
    off-by-one bugs. gcc 2.95 4 life :)

    iSEC security research need to actually *do* some research before publishing
    in the future.

    -t

    ---
    http://bitterness.primitive-incision.co.uk/
               --- Dirty Hacker Style ---
    `Who said anything about cutting you up man?
     I just wanted to carve a little `z' on your forehead.'
    

  • Next message: KF: "[VulnWatch] SRT2003-07-07-0831 - IBM U2 UniVerse cci_dir creates hard links as root"

    Relevant Pages

    • Re: Why Simitis tried so hard?
      ... in the uk the unions aimed at installing a socialist state. ... Again, if it is institutionalized, it is not corruption!! ... this is what constituted the tipping point for Greece. ... there are big private hospitals. ...
      (soc.culture.greek)
    • Re: NY Constituents Rally Against Weiner
      ... Its a start for honor in public (and private) life. ... Lets not surrender to corruption. ... John Ensign is being investigated for corruption in paying off ...
      (soc.retirement)
    • Re: 20 NY Constituents Rally Against Weiner
      ... Its a start for honor in public (and private) life. ... Lets not surrender to corruption. ... Democrats or Republicans or whoever. ...
      (soc.retirement)
    • Re: 20 NY Constituents Rally Against Weiner
      ... Its a start for honor in public (and private) life. ... Lets not surrender to corruption. ... Democrats or Republicans or whoever. ...
      (soc.retirement)