-----BEGIN PGP SIGNED MESSAGE-----

===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Olav ten Bosch                              Index  :    S-96-45
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : Linux vulnerabilities in mount and umount   Date   :  16-Aug-96
===============================================================================

By courtesy of CIAC (The U.S. Department of Energy Computer Incident
Advisory Capability) we received information on a vulnerability in
the mount and umount programs of Linux.

CERT-NL recommends implementing the workaround and/or patches as described
below.

==============================================================================
             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

              Linux Vulnerabilities in mount and umount Programs

August 15, 1996 16:00 GMT                                          Number G-38
______________________________________________________________________________
PROBLEM:       A security hole has been identified in the mount and umount
               programs.
PLATFORM:      All systems running current distributions of Linux including
               all versions of Red Hat Linux.
DAMAGE:        This vulnerability may allow any user with an account
               on a system to obtain root access.
SOLUTION:      Read and implement the workaround and/or patches described
               below.
______________________________________________________________________________
VULNERABILITY  This vulnerability is becoming widely known. CIAC recommends
ASSESSMENT:    implementing the workaround and/or patches as soon as possible.
______________________________________________________________________________

The mount and umount programs are normally installed with setUID root to
allow users to perform mount and unmount operations. However, they do not
check the length of the information being passed, thereby creating a buffer
overflow problem.

******************************************************************************
Operating Systems Tested: All current distributions of Linux
******************************************************************************

Effect: Local users on systems affected can gain overflow mounts syntax
buffer and execute a shell by overwriting the stack.

Effected binaries:
(/bin/mount and /bin/umount)

Workaround:
On all current distributions of Linux remove suid bit of /bin/mount and
/bin/umount.
[chmod -s /bin/mount; chmod -s /bin/umount]
******************************************************************************

******************************************************************************
Operating Systems Tested: All versions of Red Hat Linux
******************************************************************************

Users of versions of Red Hat less than 3.0.3 are advised to upgrade to
3.0.3, since many other problems are fixed in the upgrade.

If you are running:
* Red Hat Linux 3.0.3 (Picasso) on the Intel architecture, get
	- ftp://ftp.redhat.com/pub/redhat/redhat-3.0.3/i386/updates/RPMS/
		util-linux-2.5-11fix.i386.rpm
		mount-2.5k-1.i386.rpm
And install them in that order using 'rpm -Uvh [rpm filename]'

* Red Hat Linux 3.0.3 (Picasso) on the Alpha architecture, get
	- ftp://ftp.redhat.com/pub/redhat/redhat-3.0.3/axp/updates/RPMS/
		util-linux-2.5-11fix.axp.rpm
		mount-2.5k-1.axp.rpm
And install them in that order using 'rpm -Uvh [rpm filename]'

* Red Hat Linux 3.0.4 (Rembrandt) beta on the Intel, get
	- ftp://ftp.redhat.com/pub/redhat/rembrandt/i386/updates/RPMS/
		mount-2.5k-2.i386.rpm

* Red Hat Linux 3.0.4 (Rembrandt) beta on the Sparc, get
	- ftp://ftp.redhat.com/pub/redhat/rembrandt/sparc/updates/RPMS/
		mount-2.5k-2.sparc.rpm

[Aside: There is no difference between mount-2.5k-1 and -2 except
the package format.]

All RPMs are PGP-signed with the redhat@redhat.com key.
The source RPMs will be available in the normal locations.

MD5SUM's:
ad9b0628b6af9957d7b5eb720bbe632b  mount-2.5k-1.axp.rpm
12cb19ec4b3060f8d1cedff77bda7c05  util-linux-2.5-11fix.axp.rpm

26506a3c0066b8954d80deff152e0229  mount-2.5k-1.i386.rpm
f48c6bf901dd5d2c476657d6b75b12a5  util-linux-2.5-11fix.i386.rpm

7337f8796318f3b13f2dccb4a8f10b1a  mount-2.5k-2.i386.rpm
e68ff642a7536f3be4da83eedc14dd76  mount-2.5k-2.sparc.rpm

Thanks to Bloodmask, Vio, and others on the BugTraq list for discovering
this hole and providing patches.
******************************************************************************


_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Bloodmask, Vio, Elliot Lee at
Red Hat, and others on BugTraq for the information contained in this bulletin.
_______________________________________________________________________________

==============================================================================

CERT-NL is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams
(FIRST).

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
   Email:     cert-nl@surfnet.nl
   Phone:     +31 302 305 305
   Fax:       +31 302 305 329
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands
   A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST
   members on request.
==============================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMhR5yWL2fnkJN/jpAQG5AQP+K32cewmW6DdUrl+9WyJ/YO+KugnZEgnW
Ye9wYNHAIk1fLYt+1uyfXjlktFHBtZuj6TG4vGwXHHowAml/P5e1k1cj0s0vpPz3
TzDn3ET6vpIYTVWsgonx21pi3xYVj11OrO0MIzJbQWXCoEm2BAv8dYGu60MHhu2g
HXCA3F38BwE=
=r2iS
-----END PGP SIGNATURE-----