[olug] remote root heads up on Redhat

Chris Garrity m0ntar3 at home.com
Wed Sep 27 05:27:32 UTC 2000


	I ran an evil looking thing called statdx.c, that posted on Bugtraq, against
Redhat 6.2 running default rpc.statd on my home network. I ran it on OBSD-2.7
against my RH 6.2 and it crashed rpc.statd every time (SIGSEGV). The "trick" is
to supply the correct buffer address that vnsprintf (inside rpc.statd) is using.
"statdx.c" has an IA32 machine code shell that comes along with it. And with a
proper buffer address, statdx does a memcpy, and says:

	"OMG! You now have rpc.statd technique!@#$!\n"

	The source for the program gives intructions on finding the proper buffer
address using ltrace. And comes with default settings known to work on RH6.0,
RH6.1, and RH6.2..

	The nature of the exploit is missing format strings within function calls---the
printf family (but I'm a little over my head at this point). Seems that using
functions with format strings, without the format string, allows for Blackhat
programming, i.e. has the (conventionally) undesireable effect of allowing users
to manipulate return address pointers and buffer contents.

	If a programmer makes an error and writes printf(str) instead of
printf("%s",str), this allows for such nastiness as writing shellcode to where
the return address of the function call points.

	So, there are a lot of nasty (and nice) people out there grep'ing source trees
for such mistakes. If you see entries in your syslogs like:

	"%x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x"

	and like garabage, you may want to be "remotely" concerned.

P.S. I don't have rpc.statd technique, but I'm working on it :D



More information about the OLUG mailing list