>No. getenv() fails because *envp, argc, **argv are AFTER >pathname[] >buffer and gets overwritten. >Of course, it is still exploitable. It doesn't quite look that way to me. The overflow takes place after the setuid(getuid()) call has been made. Which renders execution of shellcode useless to us. The first overflow that is encountered in this way is NOT the strpcy(pathname, disk) but the realpath() function which expects pathname to be of size MAXPATHLEN instead of a mere 255 bytes. After this the buffer is overflown again by the strcpy() call. After patching pathname to be of MAXPATHLEN size the buffer still gets overflown by the strcpy() function which should be made to a strncpy() to function properly. Full patch included (not a a workaround that just chokes in a \0 at the end of char *disk). --- main.c.old Fri Jan 21 11:17:41 2000 +++ main.c Sat Mar 4 19:42:13 2000 @@ -119,7 +119,7 @@ #ifdef __linux__ errcode_t retval; char directory[NAME_MAX]; - char pathname[NAME_MAX]; + char pathname[MAXPATHLEN]; #endif time_t tnow; char labelstr[LBLSIZE]; @@ -363,7 +363,7 @@ #ifdef HAVE_REALPATH if (realpath(disk, pathname) == NULL) #endif - strcpy(pathname, disk); + strncpy(pathname, disk, MAXPATHLEN); dt = fstabsearchdir(pathname, directory); if (dt != NULL) { char name[MAXPATHLEN]; Cheers, Ronald Huizer - ronaldat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:54 PDT