I was talking to someone on irc last night after I made my post about the mountd exploit and they said they had a exploit that would kill inetd. I did not get the stuff but I had him try it on 3 of my linux systems and it did work.. morex .- http://morex.net http://www.worldnetworks.net On Tue, 29 Sep 1998, tiago wrote: > Greetings. > > Here is a summary of the vulnerabilities I was able to find and > reproduce on rpc.mountd(nfs-server-2.2beta29-5), > under a x86/linux slackware distribution. > > It is possible to overflow a dynamic variable on rpc.mountd procedure > #1. This variable is 1024bytes in length. > The overflow is trivial to exploit by creating a new line in > /etc/passwd, .rhosts files, etc.. I was able to make a > workable exploit last night in 40 minutes. The attacker may > read/write/execute any file on the target machine, > remotely and with root priviledges. An illy created exploit which fails > to get the EIP offset right, will result on > rpc.mountd to crash/core dump and the service beind terminated, thus > resulting in a denial of service(unless > rpc.mountd is running through inetd - not default). > > While looking at the overflow problem it seems i stumbled into > another bug. Trying to access a procedure call > between 8 and 225, it seems to crash/core dump rpc.mountd, thus > resulting in a denial of service. > > Feel free to mail me if you desire more detailed information on this > matter. I will not publicly post the exploit, > neither release it to anyone, so please avoid mailing to request that. > > I will send the diffs of a patch in one or two days. > I did not contact the maintainer of the distribution. Anyone would > please do so? > > -------------------------------------------------------------------------- > Tiago F. P. Rodrigues (BlindPoet) e-mail: tiagorat_private > Tecnico de sistemas telef : 0931 9034875 > SOLSUNI, SA > -------------------------------------------------------------------------- >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:12 PDT