Hi, this is voice of lam3rZ (.pl) -- Introduction - After reading lcamtuf's posts I decided write this one. Few months ago one of my friends - digit - found bug in linux nfsd daemon. I made example sploit about IV 1999. Now in distributions is new nfsd and nowhere was information about security weaknes of old version! -- Affected - One time more affected distribution is RedHat 5.2 and Debian 2.1, Slackware isn't vulnerable even there is *same* version of nfsd. It's hard to say bug is local or remote, read description please. -- Description - Linux rpc.nfsd has real_path bug. When user has been trying access directory with long path nfsd got SIGSEGV. There was buffer overflow which we can exploit and get root privileges on server machine. I don't remember all of details but I'll try write few words ;) length of path is checked if user is trying make long-path-directory by nfs but isn't checked when he is trying remove it. One way to exploit this bug is creating long-path-dir localy and later rm it by nfs. In some cases bug can be exploited remotely: if attacker has write access to exported directories by ftpd. that's all folks. cya __ Mariusz Marcinkiewicz | phone: +48 601 080 286 | mail: manyat_private System Administrator && Tech Support <tmoggat_private> http://www.zigzag.pl Security Advisor tmoggat_private http://www.hert.org [*] http://lam3rz.hack.pl
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:10:20 PDT