[14988] in bugtraq

home help back first fref pref prev next nref lref last post

fdmount buffer overflow

daemon@ATHENA.MIT.EDU (Arend-Jan Wijtzes)
Mon May 22 15:35:34 2000

Message-Id:  <20000522115143.10352.qmail@securityfocus.com>
Date:         Mon, 22 May 2000 11:51:43 -0000
Reply-To: Arend-Jan Wijtzes <aj@AJ.NU>
From: Arend-Jan Wijtzes <aj@AJ.NU>
X-To:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

I searched the archives and did not find this one.

Program : fdmount
Version : 0.8
OS      : linux Slackware 7.0 (maybe others)

This program is normally only executable by members of group
'floppy' and installed suid-root by default.

Bug Details:
void msg(char *text,...) {
   char buff[80];
   va_list p;
   va_start(p,text);
   vsprintf(buff,text,p);
   va_end(p);
   printf("%s (%s): %s\n",progname,curdev,buff);
}

It can, for example, be overflowed with a large enough
non-existing mountpoint parameter:
fdmount fd0
/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/
Segmentation fault

It seems a simple excersise to exploit this.
The whole program's code is bad news for security, and it
would not surprise me if there are more flaws to be found
here. From the man page fdmount (1), section 'bugs':

*     Probably  not  very  secure  yet (when running suid
      root).  Untested with ext and xia filesystems.

Using strncpy and vsnprintf would fix things.
Ofcourse, you must be in group 'floppy' to exploit this.

aj
home help back first fref pref prev next nref lref last post