Re: smbmount problem?

From: Chris Evans (chrisat_private)
Date: Sat Apr 25 1998 - 05:37:07 PDT

Next message: Chris Evans: "Minor hole in "cxhextris" on certain Linux."

Previous message: Pihl Fredrik: "Re: Security Hole in Netscape Enterprise Server 3.0"
Maybe in reply to: Chris Evans: "smbmount problem?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 21 Apr 1998, Kevin Vajk wrote:

> > int
> > main()
> > {
> >   struct a;
> >
> >   strcpy (&a.user, getenv("USER"));
> > }
>
> But it's not main() whose return pointer gets overwritten... it's
> strcpy().  So when strcpy() tries to return to main() it tries to branch

Aha, missed this, duh. Cheers.

The exploit makes strcpy() itself crash as its stack arguements are
trashed. But with careful overflowing these can be preserved, or made into
an exit condition (eg. characters to go = 0).

So the problem is exploitable. However it's been fixed for about a year. I
thought I was looking at the latest source, 2.0.1, as comes with RedHat.
It seems 2.0.2 is the latest.

Probably RedHat should upgrade their package to 2.0.2, as I've seen
installations where smbmount has been made suid root for convenience, and
because it is recommended.

Chris

Next message: Chris Evans: "Minor hole in "cxhextris" on certain Linux."
Previous message: Pihl Fredrik: "Re: Security Hole in Netscape Enterprise Server 3.0"
Maybe in reply to: Chris Evans: "smbmount problem?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:51:12 PDT