X-RDate: Wed, 22 Apr 1998 15:01:45 +0600 (YEKST)
X-UIDL: 35317d34000000a0
Date: Tue, 21 Apr 1998 12:05:43 +0100
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
Subject: smbmount problem?
Hi,
smbmount is a linux program to mount NT filesystem shares.
/usr/sbin/smbmount //a/b /
/usr/sbin/smbmount must be installed suid root
Ohhh, that's nice. On my system (RH) it doesn't seem to be, which is
probably very lucky! I expect it might be suid on other distributions
maybe?
# export USER=`perl -e 'print "A" x 10000'`
# /usr/sbin/smbmount //a/b /
Segmentation fault
The buffer overflowed is on the stack, however it's of the form
struct a {
.. blah ..
char user[32];
.. blah ..
};
int
main()
{
struct a;
strcpy (&a.user, getenv("USER"));
}
I am interested to know if we can do anything malicious with this, since
obviously the function "main" doesn't return and hand control to our
overwritten stack frame. The eventual segfault is from within libc.
Can someone enlighten us as to what use an overflow on the stack in
functiom main() is? Aleph? :-)
Cheers
Chris
