Re: smbmount problem?

[chris () FERRET LMH OX AC UK (Chris Evans)]

On Tue, 21 Apr 1998, Kevin Vajk wrote:

> > int
> > main()
> > {
> >   struct a;
> >
> >   strcpy (&a.user, getenv("USER"));
> > }
>
> But it's not main() whose return pointer gets overwritten... it's
> strcpy().  So when strcpy() tries to return to main() it tries to branch

Aha, missed this, duh. Cheers.

The exploit makes strcpy() itself crash as its stack arguements are
trashed. But with careful overflowing these can be preserved, or made into
an exit condition (eg. characters to go = 0).

So the problem is exploitable. However it's been fixed for about a year. I
thought I was looking at the latest source, 2.0.1, as comes with RedHat.
It seems 2.0.2 is the latest.

Probably RedHat should upgrade their package to 2.0.2, as I've seen
installations where smbmount has been made suid root for convenience, and
because it is recommended.

Chris