[6561] in bugtraq
smbmount problem?
daemon@ATHENA.MIT.EDU (Chris Evans)
Tue Apr 21 15:48:54 1998
Date: Tue, 21 Apr 1998 12:05:43 +0100
Reply-To: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
Hi,
smbmount is a linux program to mount NT filesystem shares.
/usr/sbin/smbmount //a/b /
/usr/sbin/smbmount must be installed suid root
Ohhh, that's nice. On my system (RH) it doesn't seem to be, which is
probably very lucky! I expect it might be suid on other distributions
maybe?
# export USER=`perl -e 'print "A" x 10000'`
# /usr/sbin/smbmount //a/b /
Segmentation fault
The buffer overflowed is on the stack, however it's of the form
struct a {
.. blah ..
char user[32];
.. blah ..
};
int
main()
{
struct a;
strcpy (&a.user, getenv("USER"));
}
I am interested to know if we can do anything malicious with this, since
obviously the function "main" doesn't return and hand control to our
overwritten stack frame. The eventual segfault is from within libc.
Can someone enlighten us as to what use an overflow on the stack in
functiom main() is? Aleph? :-)
Cheers
Chris
