Bugtraq mailing list archives
fdmount buffer overflow
From: aj () AJ NU (Arend-Jan Wijtzes)
Date: Mon, 22 May 2000 11:51:43 -0000
I searched the archives and did not find this one. Program: fdmount Version: 0.8 OS: linux Slackware 7.0 (maybe others) This program is normally only executable by members of group 'floppy' and installed suid-root by default. Bug Details: void msg(char *text,...) { char buff[80]; va_list p; va_start(p,text); vsprintf(buff,text,p); va_end(p); printf("%s (%s): %s\n",progname,curdev,buff); } It can, for example, be overflowed with a large enough non-existing mountpoint parameter: fdmount fd0 /bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/ Segmentation fault It seems a simple excersise to exploit this. The whole program's code is bad news for security, and it would not surprise me if there are more flaws to be found here. From the man page fdmount (1), section 'bugs': * Probably not very secure yet (when running suid root). Untested with ext and xia filesystems. Using strncpy and vsnprintf would fix things. Ofcourse, you must be in group 'floppy' to exploit this. aj
Current thread:
- Standard & Poors security nightmare Stephen Friedl (May 17)
- Re: Standard & Poors security nightmare Jim Knoble (May 18)
- Re: Standard & Poors security nightmare Richard Seaman, Jr. (May 20)
- Re: Standard & Poors security nightmare Richard Seaman, Jr. (May 21)
- Re: Standard & Poors security nightmare Crispin Cowan (May 20)
- "gdm" remote hole Chris Evans (May 21)
- Re: "gdm" remote hole Katherine M. Moussouris (May 22)
- fdmount buffer overflow Arend-Jan Wijtzes (May 22)
- Re: fdmount buffer overflow Greg Olszewski (May 22)
- About VNC Patrick Oonk (May 24)
- Re: fdmount buffer overflow Tomasz Grabowski (May 24)
- Re: fdmount buffer overflow Matt Wilson (May 24)
- Re: fdmount buffer overflow Greg Olszewski (May 22)
- Gauntlet Firewall Vulnerability Elias Levy (May 22)
- Re: Standard & Poors security nightmare Stephen J. Friedl (May 24)
- <Possible follow-ups>
- Re: Standard & Poors security nightmare Warren Young (May 23)
- Re: Standard & Poors security nightmare Kevin Kadow (May 25)