On Tue, 21 Apr 1998, Kevin Vajk wrote: > > int > > main() > > { > > struct a; > > > > strcpy (&a.user, getenv("USER")); > > } > > But it's not main() whose return pointer gets overwritten... it's > strcpy(). So when strcpy() tries to return to main() it tries to branch Aha, missed this, duh. Cheers. The exploit makes strcpy() itself crash as its stack arguements are trashed. But with careful overflowing these can be preserved, or made into an exit condition (eg. characters to go = 0). So the problem is exploitable. However it's been fixed for about a year. I thought I was looking at the latest source, 2.0.1, as comes with RedHat. It seems 2.0.2 is the latest. Probably RedHat should upgrade their package to 2.0.2, as I've seen installations where smbmount has been made suid root for convenience, and because it is recommended. Chris
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:51:12 PDT