OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: undocumented bugs - nfsd

undocumented bugs - nfsd

Mariusz Marcinkiewicz (tmoggZIGZAG.PL)
Tue, 9 Nov 1999 11:39:39 +0100

Hi,
this is voice of lam3rZ (.pl)

-- Introduction -

After reading lcamtuf's posts I decided write this one. Few months ago one
of my friends - digit - found bug in linux nfsd daemon. I made example
sploit about IV 1999. Now in distributions is new nfsd and nowhere was
information about security weaknes of old version!

-- Affected -

One time more affected distribution is RedHat 5.2 and Debian 2.1,
Slackware isn't vulnerable even there is *same* version of nfsd.
It's hard to say bug is local or remote, read description please.

-- Description -

Linux rpc.nfsd has real_path bug. When user has been trying access
directory with long path nfsd got SIGSEGV. There was buffer overflow which
we can exploit and get root privileges on server machine. I don't remember
all of details but I'll try write few words ;)
length of path is checked if user is trying make long-path-directory by
nfs but isn't checked when he is trying remove it. One way to exploit
this bug is creating long-path-dir localy and later rm it by nfs. In some
cases bug can be exploited remotely: if attacker has write access to
exported directories by ftpd.

that's all folks.

cya

__
Mariusz Marcinkiewicz | phone: +48 601 080 286 | mail: manyrast.lodz.pdi.net
System Administrator && Tech Support <tmoggzigzag.pl> http://www.zigzag.pl
Security Advisor tmogghert.org http://www.hert.org [*] http://lam3rz.hack.pl

This archive was generated by hypermail 2.0b3 on Tue Nov 09 1999 - 12:46:31 CST