exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

assist.1999-0001.mountd

assist.1999-0001.mountd
Posted Sep 23, 1999

assist.1999-0001.mountd

SHA-256 | 23d3ef138fe7cde5045e6f6ec83961ff488499e468e3bcd4c35a05bc86d0634b

assist.1999-0001.mountd

Change Mirror Download

From owner-csa@sprocket.nosc.MIL Sat Feb 27 14:42:57 1999
From: owner-csa@sprocket.nosc.MIL
To: CSA-List@sprocket.nosc.MIL
Date: Thu, 28 Jan 1999 08:00:58 -0500
Subject: IAVA 1999-0001 Mountd Remote Buffer Overflow Vulnerability

Automated Systems Security Incident Support Team (ASSIST) Advisory
1999-0001

Release date: 8 Jan 1999

TOPIC: Mountd Remote Buffer Overflow Vulnerability

PLATFORM: NFS servers running certain implementations of mountd,
primarily Linux systems. On some systems, the vulnerable NFS server
is enabled by default. This vulnerability can be exploited even if
the NFS server does not share any file systems.

IMPACT: Intruders who exploit the vulnerability are able to gain
administrative access to the vulnerable NFS file server. That is,
they can do anything the system administrator can do. This vulner-
ability can be exploited remotely and does not require an account on
the target machine.

SOLUTION: Install the appropriate patch from your vendor. Alternatives
to patches are also listed in the attached bulletin.

ASSIST has/has not tested and verifies that the Internet Security System
(ISS) assessment tool checks for this vulnerability and can be used to
verify compliance with this bulletin. However, this does not imply that
other methods or tools could not be used to conduct these same tests.
There are a number of existing system administration procedures and
utilities that can be used to verify if the system is vulnerable to this
type of attack. System and network administrators must ensure that the
identified changes are implemented correctly and update configuration
management documents to reflect the appropriate changes.

=======================FORWARDED TEXT STARTS
HERE============================
CERT* Advisory CA-98.12

Original issue date: October 12, 1998
Last Revised: November 9, 1998
Added vendor information for IBM Corporation and Silicon Graphics Inc.
Updated information for Data General

A complete revision history is at the end of this file.


Topic: Remotely Exploitable Buffer
Overflow Vulnerability in mountd



Affected systems:

NFS servers running certain implementations of mountd, primarily Linux
systems.
On some systems, the vulnerable NFS server is enabled by default. This
vulner-
ability can be exploited even if the NFS server does not share any file
systems.

See Appendix A for information from vendors. If your vendor's name does not
appear, we did not hear from that vendor.

Overview:

NFS is a distributed file system in which clients make use of file systems
provided by servers. There is a vulnerability in some implementations of the
software that NFS servers use to log requests to use file systems.

When a client makes a request to use a file system and subsequently makes
that
file system available as a local resource, the client is said to "mount" the
file system. The vulnerability lies in the software on the NFS server that
handles requests to mount file systems. This software is usually called
"mountd"
or "rpc.mountd."

Intruders who exploit the vulnerability are able to gain administrative
access
to the vulnerable NFS file server. That is, they can do anything the system
administrator can do. This vulnerability can be exploited remotely and does
not
require an account on the target machine.

On some vulnerable systems, the mountd software is installed and enabled by
default. See Appendix A for more information.

We will update this advisory as we receive additional information. Please
check
our advisory files regularly for updates that relate to your site.


I. Description

NFS is used to share files among different computers over the network using
a
client/server paradigm. When an NFS client computer wishes to access files
on
an NFS server, the client must first make a request to mount the file
system.
There is a vulnerability in some implementations of the software that
handles
NFS mount requests (the mountd program). Specifically, it is possible for an
intruder to overflow a buffer in the area of code responsible for logging
NFS
activity.

We have received reports indicating that intruders are actively using this
vulnerability to compromise systems and are engaging in large-scale scans to
locate vulnerable systems.

On some systems, the vulnerable NFS server is enabled by default. See the
vendor information in Appendix A.

II. Impact

After causing a buffer overflow, a remote intruder can use the resulting
condition to execute arbitrary code with root privileges.

III. Solution

A. Install a patch from your vendor.

Appendix A contains input from vendors who have provided information for
this
advisory. We will update the appendix as we receive more information. If you
do not see your vendor's name, the CERT/CC did not hear from that vendor.
Please contact your vendor directly.

B. Until you install a patch, use the following workaround.

Consider disabling NFS until you are able to install the patch. In
particular,
since some systems have vulnerable versions of mountd installed and enabled
by
default, we recommend you disable mountd on those systems unless you are
actively
using those systems as NFS servers.


Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this
advisory.
We will update this appendix as we receive additional information. If you do
not
see your vendor's name, the CERT/CC did not hear from that vendor. Please
contact
the vendor directly.

Berkeley Software Design, Inc. (BSDI)

BSDI systems are not vulnerable to this attack.

Caldera

Caldera provided a fixed version as nfs-server-2.2beta35-2 on Aug 28. It is
available from

ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/013

10fdb82ed8fd1b88c73fd962d8980bb4 RPMS/nfs-server-2.2beta35-2.i386.rpm
59e275b1ed6b98a39a38406f0415a226
RPMS/nfs-server-clients-2.2beta35-2.i386.rpm
6b075faf1d424e099c6932d95e76fd6b SRPMS/nfs-server-2.2beta35-2.src.rpm

Compaq Computer Corporation

SOURCE: (c) Copyright 1994, 1995, 1996, 1997, 1998 Compaq Computer
Corporation.
All rights reserved.
SOURCE: Compaq Computer Corporation Compaq Services Software Security
Response
Team USA x-ref: SSRT0574U mountd

This reported problem is not present for the as shipped, Compaq's Digital
ULTRIX
or Compaq's Digital UNIX Operating Systems Software.

- Compaq Computer Corporation

Data General Corporation

DG/UX is not vulnerable to this problem.

FreeBSD, Inc.

FreeBSD 2.2.6 and above seem not be vulnerable to this exploit.

Fujitsu Limited

Fujitsu's UXP/V operating system is not vulnerable.

Hewlett-Packard Company

Not vulnerable.

IBM Corporation

The version of rpc.mountd shipped with AIX is not vulnerable.

IBM and AIX are registered trademarks of International Business Machines
Corporation.

NCR

NCR is not vulnerable. We do not do any of the specified logging, nor do we
have mountd (or normally anything else) hanging on port 635.

The NetBSD Project

NetBSD is not vulnerable to this attack in any configuration. Neither the
NFS
server or mount daemon are enabled by default.

The OpenBSD Project

OpenBSD is not affected.

Red Hat Software, Inc.

All versions of Red Hat Linux are vulnerable, and we have provided fixed
packages
for all our users. Updated nfs-server packages are available from our site
at
http://www.redhat.com/support/docs/errata.html

The Santa Cruz Operation, Inc.

No SCO platforms are vulnerable.

Silicon Graphics Inc.

Please refer to Silicon Graphics Inc. Security Advisory, "mountd Buffer
Overflow
Vulnerability", Number: 19981006-01-I, distributed October 26, 1998 for
additional
information about this vulnerability.

Silicon Graphics provides a comprehensive customer World Wide Web site. This
site
is located at http://www.sgi.com/Support/security/security.html

Sun Microsystems, Inc.

Sun's mountd is not affected.


Contributors
Our thanks to Olaf Kirch and Wolfgang Ley for their input and assistance in
con-
structing this advisory.



<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ASSIST is an element of the Defense Information Systems Agency (DISA),
Global Operations and Security Center (GOSC), which provides service
to the entire DoD community. Constituents of the DoD with questions
about ASSIST or computer security issues, can contact ASSIST using one
of the methods listed below.

___________________________
ASSIST CONTACT INFORMATION:

NIPRNET E-mail: assist@assist.mil
SIPRNET E-mail: assist@assist.disa.smil.mil
Phone: (800)-357-4231 (DSN 327-4700) 24 hour hotline
Fax: (703) 607-4735 (DSN 327-4735) Unclassified

ASSIST Bulletins, tools and other security related information are
available from:
http://www.assist.mil/
http://www.assist.disa.smil.mil
ftp://ftp.assist.mil/

____
OTHER DoD CERT CONTACT INFORMATION:
Air Force CERT Phone: (800) 854-0187
Air Force CERT Email: afcert@afcert.csap.af.mil

Navy CIRT Phone: (800) 628-8893
Navy CIRT Email: navcirt@fiwc.navy.mil

Army CERT Phone: (888) 203-6332
Army CERT Email: acert@vulcan.belvoir.army.mil


Back issues of ASSIST bulletins, and other security related
information, through anonymous FTP from ftp.assist.mil (IP address
199.211.123.12). Note: ftp.assist.mil will only accept anonymous FTP
connections from NIPRNET addresses that are registered with the NIC
or DNS. If your system is not registered, you must provide your
NIPRNET IP address to ASSIST before access can be provided.

ASSIST uses Pretty Good Privacy (PGP) as the digital signature
mechanism for bulletins. PGP incorporates the RSAREF(tm)
Cryptographic Toolkit under license from RSA Data Security, Inc. A
copy of that license is available via anonymous FTP from
net-dist.mit.edu (IP 18.72.0.3) in the file /pub/PGP/rsalicen.txt. In
accordance with the terms of that license, PGP may be used for
non-commercial purposes only. Instructions for downloading the PGP
software can also be obtained from net-dist.mit.edu in the
pub/PGP/README file. PGP and RSAREF may be subject to the export
control laws of the United States of America as implemented by the
United States

Department of State Office of Defense Trade Controls. The PGP
signature information will be attached to the end of ASSIST bulletins.

Reference herein to any specific commercial product, process, or
service by trade name, trademark manufacturer, or otherwise, does not
constitute or imply its endorsement, recommendation, or favoring by
ASSIST. The views and opinions of authors expressed herein shall not
be used for advertising or product endorsement purposes.


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close