[6599] in bugtraq
Re: smbmount problem?
daemon@ATHENA.MIT.EDU (Chris Evans)
Sat Apr 25 13:56:54 1998
Date: Sat, 25 Apr 1998 13:37:07 +0100
Reply-To: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
X-To: Kevin Vajk <kvajk@ricochet.net>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980421092536.533A-100000@darkstar.localdomain>
On Tue, 21 Apr 1998, Kevin Vajk wrote:
> > int
> > main()
> > {
> > struct a;
> >
> > strcpy (&a.user, getenv("USER"));
> > }
>
> But it's not main() whose return pointer gets overwritten... it's
> strcpy(). So when strcpy() tries to return to main() it tries to branch
Aha, missed this, duh. Cheers.
The exploit makes strcpy() itself crash as its stack arguements are
trashed. But with careful overflowing these can be preserved, or made into
an exit condition (eg. characters to go = 0).
So the problem is exploitable. However it's been fixed for about a year. I
thought I was looking at the latest source, 2.0.1, as comes with RedHat.
It seems 2.0.2 is the latest.
Probably RedHat should upgrade their package to 2.0.2, as I've seen
installations where smbmount has been made suid root for convenience, and
because it is recommended.
Chris
