[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Remotely Exploitable Buffer Overflow Vulnerability in mountd

Title: Remotely Exploitable Buffer Overflow Vulnerability in mountd
Released by: CERT
Date: 12th October 1998
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



==========================================================================

CERT* Advisory CA-98.12

Original issue date: October 12, 1998

Last Revised:  November 9, 1998

        

   Added vendor information for IBM Corporation and Silicon Graphics Inc.

   Updated information for Data General



   A complete revision history is at the end of this file.





Topic: Remotely Exploitable Buffer Overflow Vulnerability in mountd

- ------------------------------------------------------------------------



Affected systems:



NFS servers running certain implementations of mountd, primarily Linux

systems. On some systems, the vulnerable NFS server is enabled by default.

This vulnerability can be exploited even if the NFS server does not share

any file systems.



See Appendix A for information from vendors. If your vendor's name does not

appear, we did not hear from that vendor.





Overview:



NFS is a distributed file system in which clients make use of file systems

provided by servers. There is a vulnerability in some implementations of

the software that NFS servers use to log requests to use file systems.



When a client makes a request to use a file system and subsequently makes

that file system available as a local resource, the client is said to

"mount" the file system. The vulnerability lies in the software on the NFS

server that handles requests to mount file systems. This software is

usually called "mountd" or "rpc.mountd."



Intruders who exploit the vulnerability are able to gain administrative

access to the vulnerable NFS file server. That is, they can do anything the

system administrator can do. This vulnerability can be exploited remotely

and does not require an account on the target machine.



On some vulnerable systems, the mountd software is installed and enabled by

default. See Appendix A for more information.



We will update this advisory as we receive additional information. Please

check our advisory files regularly for updates that relate to your site.



- ------------------------------------------------------------------------



I. Description



NFS is used to share files among different computers over the network using

a client/server paradigm. When an NFS client computer wishes to access

files on an NFS server, the client must first make a request to mount the

file system. There is a vulnerability in some implementations of the

software that handles NFS mount requests (the mountd program).

Specifically, it is possible for an intruder to overflow a buffer in the

area of code responsible for logging NFS activity.



We have received reports indicating that intruders are actively using this

vulnerability to compromise systems and are engaging in large-scale scans

to locate vulnerable systems.



On some systems, the vulnerable NFS server is enabled by default. See the

vendor information in Appendix A.



II. Impact



After causing a buffer overflow, a remote intruder can use the resulting

condition to execute arbitrary code with root privileges.



III. Solution



A. Install a patch from your vendor.



Appendix A contains input from vendors who have provided information for

this advisory. We will update the appendix as we receive more information.

If you do not see your vendor's name, the CERT/CC did not hear from that

vendor. Please contact your vendor directly.



B. Until you install a patch, use the following workaround.



Consider disabling NFS until you are able to install the patch. In

particular, since some systems have vulnerable versions of mountd installed

and enabled by default, we recommend you disable mountd on those systems

unless you are actively using those systems as NFS servers.



- ------------------------------------------------------------------------



Appendix A - Vendor Information



Below is a list of the vendors who have provided information for this

advisory. We will update this appendix as we receive additional

information. If you do not see your vendor's name, the CERT/CC did not

hear from that vendor. Please contact the vendor directly.





Berkeley Software Design, Inc. (BSDI)

=====================================



BSDI systems are not vulnerable to this attack.





Caldera

=======



Caldera provided a fixed version as nfs-server-2.2beta35-2 on Aug 28. It is

available from



http://ftp.caldera.com/pub/OpenLinux/updates/1.2/013



10fdb82ed8fd1b88c73fd962d8980bb4 RPMS/nfs-server-2.2beta35-2.i386.rpm

59e275b1ed6b98a39a38406f0415a226 RPMS/nfs-server-clients-2.2beta35-2.i386.rpm

6b075faf1d424e099c6932d95e76fd6b SRPMS/nfs-server-2.2beta35-2.src.rpm





Compaq Computer Corporation

===========================



SOURCE: (c) Copyright 1994, 1995, 1996, 1997, 1998 Compaq Computer

Corporation. All rights reserved.

SOURCE: Compaq Computer Corporation Compaq Services Software Security

Response Team USA

x-ref: SSRT0574U mountd



This reported problem is not present for the as shipped, Compaq's Digital

ULTRIX or Compaq's Digital UNIX Operating Systems Software.



- - Compaq Computer Corporation





Data General Corporation

========================



DG/UX is not vulnerable to this problem.





FreeBSD, Inc.

=============



FreeBSD 2.2.6 and above seem not be vulnerable to this exploit.





Fujitsu Limited

===============



Fujitsu's UXP/V operating system is not vulnerable.





Hewlett-Packard Company

=======================



Not vulnerable.





IBM Corporation

===============



The version of rpc.mountd shipped with AIX is not vulnerable.



IBM and AIX are registered trademarks of International Business Machines

Corporation.



NCR

===



NCR is not vulnerable. We do not do any of the specified logging, nor do we

have mountd (or normally anything else) hanging on port 635.





The NetBSD Project

==================



NetBSD is not vulnerable to this attack in any configuration. Neither the

NFS server or mount daemon are enabled by default.





The OpenBSD Project

===================



OpenBSD is not affected.





Red Hat Software, Inc.

======================



All versions of Red Hat Linux are vulnerable, and we have provided fixed

packages for all our users. Updated nfs-server packages are available from

our site at http://www.redhat.com/support/docs/errata.html





The Santa Cruz Operation, Inc.

==============================



No SCO platforms are vulnerable.





Silicon Graphics Inc.

=====================



Please refer to Silicon Graphics Inc. Security Advisory, "mountd Buffer

Overflow Vulnerability", Number: 19981006-01-I, distributed October 26, 1998

for additional information about this vulnerability.



Silicon Graphics provides a comprehensive customer World Wide Web site.

This site is located at http://www.sgi.com/Support/security/security.html.





Sun Microsystems, Inc.

======================



Sun's mountd is not affected.



- ------------------------------------------------------------------------

Contributors



Our thanks to Olaf Kirch and Wolfgang Ley for their input and assistance in

constructing this advisory.



- ------------------------------------------------------------------------



If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident

Response and Security Teams (see http://www.first.org/team-info/).





CERT/CC Contact Information

- ---------------------------

Email cert@cert.org



Phone +1 412-268-7090 (24-hour hotline)



CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on

call for emergencies during other hours.



Fax +1 412-268-6989



Postal address:



CERT Coordination Center

Software Engineering Institute

Carnegie Mellon University

Pittsburgh PA 15213-3890

USA



Using encryption



   We strongly urge you to encrypt sensitive information sent by email. We can

   support a shared DES key or PGP. Contact the CERT/CC for more information.



   Location of CERT PGP key



        http://ftp.cert.org/pub/CERT_PGP.key



Getting security information



   CERT publications and other security information are available from



        http://www.cert.org/

        http://ftp.cert.org/pub/



   To be added to our mailing list for advisories and bulletins, send email to



        cert-advisory-request@cert.org



   In the subject line, type



        SUBSCRIBE your-email-address



- -----------------------------------------------------------------------

Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and

http://ftp.cert.org/pub/legal_stuff. If you do not have FTP or web access,

send mail to cert@cert.org with "copyright" in the subject line.



* CERT is registered in the U.S. Patent and Trademark Office



NO WARRANTY

Any material furnished by Carnegie Mellon University and the Software

Engineering Institute is furnished on an "as is" basis. Carnegie Mellon

University makes no warranties of any kind, either expressed or implied as

to any matter including, but not limited to, warranty of fitness for a

particular purpose or merchantability, exclusivity or results obtained from

use of the material. Carnegie Mellon University does not make any warranty

of any kind with respect to freedom from patent, trademark, or copyright

infringement.



- ------------------------------------------------------------------------



This file is at: http://ftp.cert.org/pub/cert_advisories/CA-98.12.mountd



Also posted on the USENET newsgroup comp.security.announce



- ------------------------------------------------------------------------



Revision History

Nov.  9, 1998  Added vendor information for IBM and SGI

               Updated information for Data General



Oct. 21, 1998  Added vendor information for Berkeley Software Design, Inc.



-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBTBv1r9kb5qlZHQEQL1jQCcCGvubcFE6mGZIAJ7IhPCUduWQAYAoIWz

h1FBjmhRqbpivru47dCWgcdy

=Kna1

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.