>No. getenv() fails because *envp, argc, **argv are AFTER
>pathname[]
>buffer and gets overwritten.
>Of course, it is still exploitable.
It doesn't quite look that way to me.
The overflow takes place after the setuid(getuid()) call has
been made. Which renders execution of shellcode useless to
us.
The first overflow that is encountered in this way is NOT
the strpcy(pathname, disk) but the realpath() function which
expects pathname to be of size MAXPATHLEN instead of a mere
255 bytes. After this the buffer is overflown again by the
strcpy() call.
After patching pathname to be of MAXPATHLEN size the buffer
still gets overflown by the strcpy() function which should
be made to a strncpy() to function properly.
Full patch included (not a a workaround that just chokes in
a \0 at the end of char *disk).
--- main.c.old Fri Jan 21 11:17:41 2000
+++ main.c Sat Mar 4 19:42:13 2000
@@ -119,7 +119,7 @@
#ifdef __linux__
errcode_t retval;
char directory[NAME_MAX];
- char pathname[NAME_MAX];
+ char pathname[MAXPATHLEN];
#endif
time_t tnow;
char labelstr[LBLSIZE];
@@ -363,7 +363,7 @@
#ifdef HAVE_REALPATH
if (realpath(disk, pathname) == NULL)
#endif
- strcpy(pathname, disk);
+ strncpy(pathname, disk, MAXPATHLEN);
dt = fstabsearchdir(pathname, directory);
if (dt != NULL) {
char name[MAXPATHLEN];
Cheers,
Ronald Huizer - ronald_at_grafix.nl
Received on Mar 06 2000
Intro
