Bugtraq mailing list archives
Multiply bugs in MH-6.8.3 (Mail Handler program)
From: shok () COBRA ONLINEX NET (Matt Conover)
Date: Sat, 26 Jul 1997 18:08:00 -0600
Okay there is an overflow in MH-6.8.3, which is suid, which I THINK (not sure), is installed, at least in Redhat 4.1+, by default (I think this is installed within the mail package regardless of distribution, but I never specifically installed it). This actually has a few overflows (I haven't actually tested this but it looks quite obvious, you'll have to test it yourself). The only one I'm going to describe is the program'msgchk', which is suid (on my server it's installed by default in /usr/bin/mh/msgchk (in function checkmail), you would also want to check /usr/lib/mh/msgchk. (You ought to look through the code yourself..I notice quite a few bugs..this program relies heavily on buffers and enviromental variables) This is pretty straight forward. char *hdir, buf[BUFSIZ], *tmp; ^^^^^^^^ not sure the exact value..check the *.h files..for test purposes if you try to overflow this...just use a size of 9999, just to see if it segfaults. hdir = getenv("HOME"); if (hdir == NULL) hdir = "."; (void) sprintf(buf, "%s/.netrc", hdir); Obviously it never even checks the value of hdir..so export your home directory to something very large (if this doesn't work, they still disobeyed something that libc specifically says not to do...they say to use (can't remember the exact function) _secure_getenv, _securelib_getenv (??) something like that..and they also said NOT to define it to set the HOME to "." (the current path) for reasons that someone could link .netrc to something and since it's suid... test this yourself..I don't have too much time Matt Conover (shok () onlinex net -- Shok).
Current thread:
- Multiply bugs in MH-6.8.3 (Mail Handler program) Matt Conover (Jul 26)
- Re: Multiply bugs in MH-6.8.3 (Mail Handler program) nolander () NOLANDER PP SE (Jul 28)
- Re: Multiply bugs in MH-6.8.3 (Mail Handler program) Alan Cox (Jul 28)
- Re: Multiply bugs in MH-6.8.3 (Mail Handler program) Matt Conover (Jul 28)
- bind security: fear, uncertainty, and doubts Paul A Vixie (Jul 28)
- Re: Multiply bugs in MH-6.8.3 (Mail Handler program) nolander () NOLANDER PP SE (Jul 28)