Home page logo

bugtraq logo Bugtraq mailing list archives

smbmount problem?
From: chris () FERRET LMH OX AC UK (Chris Evans)
Date: Tue, 21 Apr 1998 12:05:43 +0100


smbmount is a linux program to mount NT filesystem shares.

/usr/sbin/smbmount //a/b /
/usr/sbin/smbmount must be installed suid root

Ohhh, that's nice. On my system (RH) it doesn't seem to be, which is
probably very lucky! I expect it might be suid on other distributions

# export USER=`perl -e 'print "A" x 10000'`
# /usr/sbin/smbmount //a/b /
Segmentation fault

The buffer overflowed is on the stack, however it's of the form

struct a {
  .. blah ..
  char user[32];
  .. blah ..

  struct a;

  strcpy (&a.user, getenv("USER"));

I am interested to know if we can do anything malicious with this, since
obviously the function "main" doesn't return and hand control to our
overwritten stack frame. The eventual segfault is from within libc.

Can someone enlighten us as to what use an overflow on the stack in
functiom main() is? Aleph? :-)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]