Bugtraq mailing list archives
Pine _again_ :)
From: chris () FERRET LMH OX AC UK (Chris Evans)
Date: Mon, 8 Feb 1999 21:19:29 +0000
Hi, PINE seems to be flavour of the month so I'll add to Michal's post. This is much less serious than Michal's problem but probably noteworthy anyway. PINE can be made to crash if /var/spool/mail/<who> contains a line along the lines of "From AAAAAAAAAAAA" where the A's number ~10000. If you are lucky your MTA will truncate this line safely, preventing remote exploit. I discovered this by "accident" playing with procmail locally - procmail places no limits on what junk you can inject into other peoples' mailboxes. The affected pine version is 4.04 as comes with RedHat 5.2. Pine 4.10 untested. If someone wants to test it and can't get it to work contact me for a ready made MBOX file. To get the crash to happen I _think_ the message has to be viewed. But that's what people tend to do with mail ;-) The actual crash occurs when the product exits. The overflow isn't onto the stack but there are definite exploit opportunities. On i386 and 100,000 A's, the core dump indicates edi=0x41414141 which suggests we can copy data to an arbitrary location in virtual memory. Cheers Chris
Current thread:
- Re: Microsoft Access 97 Stores Database Password as Plaintext Paul Leach (Feb 04)
- <Possible follow-ups>
- Re: Microsoft Access 97 Stores Database Password as Plaintext Donald Moore (Feb 04)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Allan Marillier (Feb 04)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Kehoe, Anthony (Feb 05)
- FW: Microsoft Access 97 Stores Database Password as Plaintext Eric Stevens (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Fernald, Brian (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Sozni (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ervin Fried (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext sozni () USA NET (Feb 08)
- Pine _again_ :) Chris Evans (Feb 08)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Stephen M. Milton (Feb 08)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Jim Paris (Feb 09)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Jim Paris (Feb 09)
- SECURITY: new wu-ftpd packages available (fwd) RHS Linux User (Feb 09)
- Re: SECURITY: new wu-ftpd packages available (fwd) Ronald Wahl (Feb 10)
- Pro/wuFTPD DoS (Was: Re: SECURITY: new wu-ftpd packages available Ken Williams (Feb 11)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Billy Naylor (Feb 12)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ian Smith (Feb 12)