Date: Tue, 29 Sep 1998 10:57:02 +0100 From: tiago <tiagor@SOLSUNI.PT> Subject: rpc.mountd vulnerabilities To: BUGTRAQ@NETSPACE.ORG Greetings. Here is a summary of the vulnerabilities I was able to find and reproduce on rpc.mountd(nfs-server-2.2beta29-5), under a x86/linux slackware distribution. It is possible to overflow a dynamic variable on rpc.mountd procedure #1. This variable is 1024bytes in length. The overflow is trivial to exploit by creating a new line in /etc/passwd, .rhosts files, etc.. I was able to make a workable exploit last night in 40 minutes. The attacker may read/write/execute any file on the target machine, remotely and with root priviledges. An illy created exploit which fails to get the EIP offset right, will result on rpc.mountd to crash/core dump and the service beind terminated, thus resulting in a denial of service(unless rpc.mountd is running through inetd - not default). While looking at the overflow problem it seems i stumbled into another bug. Trying to access a procedure call between 8 and 225, it seems to crash/core dump rpc.mountd, thus resulting in a denial of service. Feel free to mail me if you desire more detailed information on this matter. I will not publicly post the exploit, neither release it to anyone, so please avoid mailing to request that. I will send the diffs of a patch in one or two days. I did not contact the maintainer of the distribution. Anyone would please do so? -------------------------------------------------------------------------- Tiago F. P. Rodrigues (BlindPoet) e-mail: tiagor@solsuni.pt Tecnico de sistemas telef : 0931 9034875 SOLSUNI, SA --------------------------------------------------------------------------