Bugtraq mailing list archives

mountd remote exploit?

From: jcald () LAKE ML ORG (John Caldwell)
Date: Mon, 28 Sep 1998 19:11:39 -0700


This morning at about 2am, someone managed to get into my machine using
some type of mountd exploit. I was watching at the time, so they werent
able to do much damage, but it looks like they were able to nfs mount my
root drive remotely, even though its not listed in the /etc/exports.  I
was led to believe it was mountd by this:


Sep 28 02:35:15 harman mountd[263]: Unauthorized access by NFS client
xxx.xxx.xxx.xxx
Sep 28 02:35:15 harman syslogd: Cannot glue message parts together
Sep 28 02:35:15 harman mountd[263]: Blocked attempt of xxx.xxx.xxx.xxx to
mount ^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
Sep 28 02:35:15 harman
(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^
E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^
H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(
-^E^H(-^E^H(-^E^H(-


The guy had added a line to my /etc/passwd and inetd.conf files allowing
for easy root access, but didnt do much other damage.  I'm not very
familiar with mountd and I havent heard anything about remote exploits, so
i thought i'd post about it.


I couldnt find a current contact for the linux nfs package, so thats why i
posted here first.

--
 -------------------------
| John Caldwell
| jcald () lake ml org
| http://www.lake.ml.org/
 -------------------------

Current thread:

IRIX mail(1)/rmail(1M)/sendmail(1M) Security Vulnerabilities, (continued)
- - - IRIX mail(1)/rmail(1M)/sendmail(1M) Security Vulnerabilities SGI Security Coordinator (Sep 29)
    - Re: rpc.mountd vulnerabilities Olaf Kirch (Sep 30)
    - ISS Security Advisory: Snork X-Force (Sep 29)
    - Re: mountd- more info (sorry) John Caldwell (Sep 29)
    - Re: mountd- more info (sorry) Anthony C. Zboralski (Sep 30)
    - more rpc.mountd jason valentine (Sep 30)
    - Netscape Cache Exploit - source code Ken Williams (Sep 29)
    - Re: IRIX 6.2 passwordless accounts exploit? Kevin Hawkins (Sep 30)
    - Sun Security Bulletin #00176 joshua grubman (Sep 30)
    - Re: IRIX 6.2 passwordless accounts exploit? morex .- (Sep 28)
    - mountd remote exploit? John Caldwell (Sep 28)
    - Re: mountd remote exploit? morex .- (Sep 28)
    - Re: IRIX 6.2 passwordless accounts exploit? Charl Botha (Sep 29)
    - Re: IRIX 6.2 passwordless accounts exploit? Renaud Deraison (Sep 29)
    - rpc.mountd exploit Hudin Lucian (Sep 29)