Linux Vulnerabilities in mount and umount Programs

Linux Vulnerabilities in mount and umount Programs Privacy and Legal Notice INFORMATION BULLETIN G-38: Linux Vulnerabilities in mount and umount Programs August 15, 1996 19:00 GMT

PROBLEM:       A security hole has been identified in the mount and umount 
               programs. 
PLATFORM:      All systems running current distributions of Linux including 
               all versions of Red Hat Linux. 
DAMAGE:        This vulnerability may allow any user with an account on a 
               system to obtain root access. 
SOLUTION:      Read and implement the workaround and/or patches described 
               below. 
VULNERABILITY  This vulnerability is becoming widely known. CIAC recommends 
ASSESSMENT:    implementing the workaround and/or patches as soon as possible. 

The mount and umount programs are normally installed with setUID root to 
allow users to perform mount and unmount operations. However, they do not 
check the length of the information being passed, thereby creating a buffer 
overflow problem.

******************************************************************************
Operating Systems Tested: All current distributions of Linux
******************************************************************************

Effect: Local users on systems affected can gain overflow mounts syntax 
buffer and execute a shell by overwriting the stack.

Effected binaries:
(/bin/mount and /bin/umount)

Workaround:
On all current distributions of Linux remove suid bit of /bin/mount and 
/bin/umount. 
[chmod -s /bin/mount; chmod -s /bin/umount]
******************************************************************************

******************************************************************************
Operating Systems Tested: All versions of Red Hat Linux
******************************************************************************

Users of versions of Red Hat less than 3.0.3 are advised to upgrade to
3.0.3, since many other problems are fixed in the upgrade.

If you are running:
* Red Hat Linux 3.0.3 (Picasso) on the Intel architecture, get
	- ftp://ftp.redhat.com/pub/redhat/redhat-3.0.3/i386/updates/RPMS/
		util-linux-2.5-11fix.i386.rpm
		mount-2.5k-1.i386.rpm
And install them in that order using 'rpm -Uvh [rpm filename]'

* Red Hat Linux 3.0.3 (Picasso) on the Alpha architecture, get
	- ftp://ftp.redhat.com/pub/redhat/redhat-3.0.3/axp/updates/RPMS/
		util-linux-2.5-11fix.axp.rpm
		mount-2.5k-1.axp.rpm
And install them in that order using 'rpm -Uvh [rpm filename]'

* Red Hat Linux 3.0.4 (Rembrandt) beta on the Intel, get
	- ftp://ftp.redhat.com/pub/redhat/rembrandt/i386/updates/RPMS/
		mount-2.5k-2.i386.rpm

* Red Hat Linux 3.0.4 (Rembrandt) beta on the Sparc, get
	- ftp://ftp.redhat.com/pub/redhat/rembrandt/sparc/updates/RPMS/
		mount-2.5k-2.sparc.rpm

[Aside: There is no difference between mount-2.5k-1 and -2 except
the package format.]

All RPMs are PGP-signed with the redhat@redhat.com key.
The source RPMs will be available in the normal locations.

MD5SUM's:
ad9b0628b6af9957d7b5eb720bbe632b  mount-2.5k-1.axp.rpm
12cb19ec4b3060f8d1cedff77bda7c05  util-linux-2.5-11fix.axp.rpm

26506a3c0066b8954d80deff152e0229  mount-2.5k-1.i386.rpm
f48c6bf901dd5d2c476657d6b75b12a5  util-linux-2.5-11fix.i386.rpm

7337f8796318f3b13f2dccb4a8f10b1a  mount-2.5k-2.i386.rpm
e68ff642a7536f3be4da83eedc14dd76  mount-2.5k-2.sparc.rpm

Thanks to Bloodmask, Vio, and others on the BugTraq list for discovering
this hole and providing patches.
******************************************************************************

CIAC wishes to acknowledge the contributions of Bloodmask, Vio, Elliot Lee at Red Hat, and others on BugTraq for the information contained in this bulletin.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.

UCRL-MI-119788
[Privacy and Legal Notice]