Bugtraq mailing list archives
Re: security hole in mailx
From: alvaro () lander es (Alvaro Martinez Echevarria)
Date: Fri, 26 Jun 1998 06:12:11 +0200
On Thu, 25 Jun 1998, Casper Dik wrote:
It should be noted that homedir itself, at least on Solaris,, is a char homedir[PATHSIZE] which is copied from the environment. (This never stops to amaze me; why *copy* the result from getenv()?) You'd want to fix the overflow of homedir too; looks like there are a few other overflows as well.
Under the Linux sources, homedir is a char *, that is malloc'ed and filled from the environment variable value. A nice way to waste some CPU, yeah. By the way, assuming that homedir is a global variable in Solaris, that could be the reason why the overflow doesn't seem to reach the stack (such has been reported to me in several messages). But that may have changed in the last version: a 5.6 mailx with the latest patches applied dies by "Bus Error" (as reported by Jared Buntain) instead of "Segmentation Fault". I haven't checked it, but sounds to me like a stack overflow.
I don't particularly care for arguments as "seem exploitable". The homedir data segment buffer overflow may well be exploitable; in the Solaris sources, there is at least one other buffer overflow on the stack.
Of course, the patch I sent addresses all the buffer overflows I detected after a quick inspection. Not only the "seems exploitable" one. Regards. .------------------------------------------------------------------. | Alvaro Martínez Echevarría | LANDER SISTEMAS | | alvaro () lander es | Pº Castellana, 121 | `--------------------------------| 28046 Madrid, SPAIN | | Tel: +34-91-5562883 | | Fax: +34-91-5563001 | `---------------------------------'
Current thread:
- Re: ncftp 2.4.3 bug, (continued)
- Re: ncftp 2.4.3 bug Liviu Daia (Jun 23)
- textcounter.pl SECURITY HOLE Doru Petrescu (Jun 23)
- Re: textcounter.pl SECURITY HOLE Rich Lafferty (Jun 24)
- Yipes named attack Anonymous (Jun 24)
- security hole in mailx Alvaro Martinez Echevarria (Jun 24)
- Re: security hole in mailx gold (Jun 25)
- Re: security hole in mailx Casper Dik (Jun 25)
- Bug is sudo? Rhodie (Jun 25)
- Re: Bug is sudo? Warner Losh (Jun 26)
- Re: Bug is sudo? Todd C. Miller (Jun 27)
- Re: security hole in mailx Alvaro Martinez Echevarria (Jun 25)
- Re: security hole in mailx Ben Collins (Jun 25)
- Re: security hole in mailx Theo de Raadt (Jun 25)
- guestbook script is still vulnerable under apache Stunt Pope (Jun 25)
- Re: guestbook script is still vulnerable under apache Theo Van Dinter (Jun 25)
- Re: guestbook script is still vulnerable under apache Andru Luvisi (Jun 25)
- Re: guestbook script is still vulnerable under apache Lincoln Stein (Jun 26)
- dip-3.3.7p exploit (stackpatch_ Thomas Troeger (Jun 26)
- And another qpopper overflow (does this make 3?) Aaron D. Gifford (Jun 28)
- Re: dip-3.3.7p exploit (stackpatch_ M.C.Mar (Jun 28)
- WIPO Bill Aleph One (Jun 25)