Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [ Hackerslab bug_paper ] Linux dump buffer overflow
From: ronald () GRAFIX NL (Ronald Huizer)
Date: Sat, 4 Mar 2000 18:55:43 -0000

No. getenv() fails because *envp, argc, **argv are AFTER
buffer and gets overwritten.

Of course, it is still exploitable.

It doesn't quite look that way to me.
The overflow takes place after the setuid(getuid()) call has
been made. Which renders execution of shellcode useless to

The first overflow that is encountered in this way is NOT
the strpcy(pathname, disk) but the realpath() function which
expects pathname to be of size MAXPATHLEN instead of a mere
255 bytes. After this the buffer is overflown again by the
strcpy() call.

After patching pathname to be of MAXPATHLEN size the buffer
still gets overflown by the strcpy() function which should
be made to a strncpy() to function properly.

Full patch included (not a a workaround that just chokes in
a \0 at the end of char *disk).

--- main.c.old  Fri Jan 21 11:17:41 2000
+++ main.c      Sat Mar  4 19:42:13 2000
@@ -119,7 +119,7 @@
 #ifdef __linux__
        errcode_t retval;
        char directory[NAME_MAX];
-       char pathname[NAME_MAX];
+       char pathname[MAXPATHLEN];
        time_t tnow;
        char labelstr[LBLSIZE];
@@ -363,7 +363,7 @@
                if (realpath(disk, pathname) == NULL)
-                       strcpy(pathname, disk);
+                       strncpy(pathname, disk, MAXPATHLEN);
                dt = fstabsearchdir(pathname, directory);
                if (dt != NULL) {
                        char name[MAXPATHLEN];


Ronald Huizer - ronald () grafix nl

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]