Bugtraq mailing list archives
Re: smbmount problem?
From: chris () FERRET LMH OX AC UK (Chris Evans)
Date: Sat, 25 Apr 1998 13:37:07 +0100
On Tue, 21 Apr 1998, Kevin Vajk wrote:
int main() { struct a; strcpy (&a.user, getenv("USER")); }But it's not main() whose return pointer gets overwritten... it's strcpy(). So when strcpy() tries to return to main() it tries to branch
Aha, missed this, duh. Cheers. The exploit makes strcpy() itself crash as its stack arguements are trashed. But with careful overflowing these can be preserved, or made into an exit condition (eg. characters to go = 0). So the problem is exploitable. However it's been fixed for about a year. I thought I was looking at the latest source, 2.0.1, as comes with RedHat. It seems 2.0.2 is the latest. Probably RedHat should upgrade their package to 2.0.2, as I've seen installations where smbmount has been made suid root for convenience, and because it is recommended. Chris
Current thread:
- Re: smbmount problem? Chris Evans (Apr 25)