Date: Tue, 29 Sep 1998 10:57:02 +0100
From: tiago <[email protected]>
To: [email protected]Subject: rpc.mountd vulnerabilities
Greetings.
Here is a summary of the vulnerabilities I was able to find and
reproduce on rpc.mountd(nfs-server-2.2beta29-5),
under a x86/linux slackware distribution.
It is possible to overflow a dynamic variable on rpc.mountd procedure
#1. This variable is 1024bytes in length.
The overflow is trivial to exploit by creating a new line in
/etc/passwd, .rhosts files, etc.. I was able to make a
workable exploit last night in 40 minutes. The attacker may
read/write/execute any file on the target machine,
remotely and with root priviledges. An illy created exploit which fails
to get the EIP offset right, will result on
rpc.mountd to crash/core dump and the service beind terminated, thus
resulting in a denial of service(unless
rpc.mountd is running through inetd - not default).
While looking at the overflow problem it seems i stumbled into
another bug. Trying to access a procedure call
between 8 and 225, it seems to crash/core dump rpc.mountd, thus
resulting in a denial of service.
Feel free to mail me if you desire more detailed information on this
matter. I will not publicly post the exploit,
neither release it to anyone, so please avoid mailing to request that.
I will send the diffs of a patch in one or two days.
I did not contact the maintainer of the distribution. Anyone would
please do so?
--------------------------------------------------------------------------
Tiago F. P. Rodrigues (BlindPoet) e-mail: [email protected]
Tecnico de sistemas telef : 0931 9034875
SOLSUNI, SA
--------------------------------------------------------------------------
