![[LWN Logo]](/images/lwn.banner.gif)
Date: Mon, 22 May 2000 11:51:43 -0000
From: Arend-Jan Wijtzes <aj@AJ.NU>
Subject: fdmount buffer overflow
To: BUGTRAQ@SECURITYFOCUS.COM
I searched the archives and did not find this one.
Program : fdmount
Version : 0.8
OS : linux Slackware 7.0 (maybe others)
This program is normally only executable by members of group
'floppy' and installed suid-root by default.
Bug Details:
void msg(char *text,...) {
char buff[80];
va_list p;
va_start(p,text);
vsprintf(buff,text,p);
va_end(p);
printf("%s (%s): %s\n",progname,curdev,buff);
}
It can, for example, be overflowed with a large enough
non-existing mountpoint parameter:
fdmount fd0
/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/
Segmentation fault
It seems a simple excersise to exploit this.
The whole program's code is bad news for security, and it
would not surprise me if there are more flaws to be found
here. From the man page fdmount (1), section 'bugs':
* Probably not very secure yet (when running suid
root). Untested with ext and xia filesystems.
Using strncpy and vsnprintf would fix things.
Ofcourse, you must be in group 'floppy' to exploit this.
aj