[VulnWatch] Reality of the rpc.mountd bug

From: tb0b (tbob@primitive-incision.co.uk)
Date: Mon Jul 14 2003 - 14:23:11 PDT

Next message: bugzillaat_private: "[Full-Disclosure] [RHSA-2003:162-01] Updated Mozilla packages fix security vulnerability"

Previous message: Mascot: "Re: StarSiege: Tribes DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yo hi,

I was very saddened today to see the death of yet another privately
exploited unpublished bug in the form of the off-by-one in the nfs-utils
logging.
However, I feel the severity of this has been overstated and that the claim
that this can be used to execute abitrary code is slightly exaggerated.
Without going into too much detail I'm just gonna drop the header from my
original exploit for this.
BTW, this exploit has been circluating on EFnet for I would say about nine
months now so if you want it that badly (seen as it's almost totally
useless) go beg the divine intervention. I'm sure he would be glad to help.

/* mdx - x86/linux rpc.mountd remote root exploit.
 * By tb0b - January 2002
 *
 * FOR PRIVATE USE ONLY - NOT FOR PRIVATE OR PUBLIC DISTRIBUTION.
 *
 * As mountd crashes if a 900+ byte string is sent as a mount request, I do
not
 * doubt for one second that this has been found and actively exploited by
 * others before now. It is not trivial to exploit, however.
 *
 * Some distributions of rpc.mountd will not segfault. This is due to the
version
 * of gcc with which they are compiled. At the moment RH 7.0, 7.1 and 7.2
are
 * known to use a version of gcc which does not correctly save ebp on the
stack
 * and are therefore not supceptable to off-by-ones AT ALL.
 *
 * * The vulnerability is still present in the latest source distribution. *
 *
 * LSB of frame pointer is corruptable with a single NULL byte. The area
 * pointed to by this corrupted frame pointer is zero'd memory which we
can't
 * control. However, we are able to pass an arbitary ponter to free via the
 * stack corruption and this can be used to place a pointer to shellcode in
 * the memory area referenced by the resulting esp and allows us to exploit
 * mountd with reasonable reliability.
 *
 * "Infatuated with this freedom, say the words and I could be them."
 */

If you happen to be someone running RH 6.1/6.2 default rpc.mountd
unfirewalled then you should probably upgrade, everyone running an linux
more recent than this will be unaffected, as they will be by all stack-based
off-by-one bugs. gcc 2.95 4 life :)

iSEC security research need to actually *do* some research before publishing
in the future.

-t

---
http://bitterness.primitive-incision.co.uk/

           --- Dirty Hacker Style ---

`Who said anything about cutting you up man?
 I just wanted to carve a little `z' on your forehead.'

Next message: bugzillaat_private: "[Full-Disclosure] [RHSA-2003:162-01] Updated Mozilla packages fix security vulnerability"
Previous message: Mascot: "Re: StarSiege: Tribes DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 14:56:08 PDT