Bugtraq mailing list archives

Re: security hole in mailx

From: smm () WPI EDU (Seth McGann)
Date: Thu, 25 Jun 1998 14:35:59 -0400


At 06:19 6/25/98 +0200, you wrote:
[snip]

Here we go. By the way, although in Linux 2000 "A"s are enough,
in Solaris you'll need more (10000 worked for me). I've verified
that Debian GNU/Linux (package mailx-8.1.1-9 and previous) is
vulnerable. Solaris 5.5.1 and 5.6 (mailx 5.0) also seem vulnerable
after a couple of quick tests, but I haven't been able to
check the return address due to lack of a root access to any
Solaris, so I'm not 100% sure.

[snip]

I assume you cannot retrieve the return address because the core dump
cannot be read by you, since mailx is sgid.  There are couple ways around
this.  First, copy the mailx binary to your home directory and run it with
the necessary amount of garbage and examine the core dump.  Some overflows
will not dump core so you need to use a different technique:

1. gdb mailx
2. run perl -e '.......'
3. Examine the results as the program dies and gdb catches the signal.

Obviously, this wont work with a program that bails before the overflow
because it sees it doesn't have enough privilege.

Another useful technique when examining programs that neither dump core,
and cannot be started from the command line (well, they probably could, but
this way is easier) is the process attachment feature of gdb.  Services
started out of inetd can be easily debugged using this method:

1.  In terminal 1 start up the service by connecting to it (I prefer
netcat, but whatever).
2.  In terminal 2, do a ps to retrieve the pid of the offending service.
3.  gdb /path/to/bad/service pidofservice.
4.  gdb will break the process on attachment so give it a 'continue' to
keep going.
5.  Do the deed in terminal 1.
6.  Watch the fireworks in terminal 2, and see exactly what happened.

Since you can only attach to process you own, you'd have to be root to do
this with inetd type services.

On another note, I think it would be a great display of civil disobedience
to continue publishing this list if the WIPO bill is passed.


Seth M. McGann / smm () wpi edu        "Security is making it
http://www.wpi.edu/~smm              to the bathroom in time."
KeyID: 2048/1024/E2501C80
Fingerprint 3344 DFA2 8E4A 977B 63A7  19E3 6AF7 4AE7 E250 1C80

Current thread:

Re: guestbook script is still vulnerable under apache, (continued)
- - - Re: guestbook script is still vulnerable under apache Theo Van Dinter (Jun 25)
    - Re: guestbook script is still vulnerable under apache Andru Luvisi (Jun 25)
    - Re: guestbook script is still vulnerable under apache Lincoln Stein (Jun 26)
    - dip-3.3.7p exploit (stackpatch_ Thomas Troeger (Jun 26)
    - And another qpopper overflow (does this make 3?) Aaron D. Gifford (Jun 28)
    - Re: dip-3.3.7p exploit (stackpatch_ M.C.Mar (Jun 28)
    - WIPO Bill Aleph One (Jun 25)
    - Re: guestbook script is still vulnerable under apache Dean Gaudet (Jun 25)
    - Re: guestbook script is still vulnerable under apache Lars Eilebrecht (Jun 25)
    - Re: guestbook script is still vulnerable under apache Andrew Clegg (Jun 26)
    - Re: security hole in mailx Seth McGann (Jun 25)