Date: Mon, 22 May 2000 11:51:43 -0000 From: Arend-Jan Wijtzes <aj@AJ.NU> Subject: fdmount buffer overflow To: BUGTRAQ@SECURITYFOCUS.COM I searched the archives and did not find this one. Program : fdmount Version : 0.8 OS : linux Slackware 7.0 (maybe others) This program is normally only executable by members of group 'floppy' and installed suid-root by default. Bug Details: void msg(char *text,...) { char buff[80]; va_list p; va_start(p,text); vsprintf(buff,text,p); va_end(p); printf("%s (%s): %s\n",progname,curdev,buff); } It can, for example, be overflowed with a large enough non-existing mountpoint parameter: fdmount fd0 /bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/ Segmentation fault It seems a simple excersise to exploit this. The whole program's code is bad news for security, and it would not surprise me if there are more flaws to be found here. From the man page fdmount (1), section 'bugs': * Probably not very secure yet (when running suid root). Untested with ext and xia filesystems. Using strncpy and vsnprintf would fix things. Ofcourse, you must be in group 'floppy' to exploit this. aj