Local buffer overflow on Aeon<=0.2a

[<patr0n () nm ru>]

#######################################################################

Application:  Aeon
              http://www.abenetkiewicz.neostrada.pl
Versions:     <= 0.2a
Platforms:    Linux
Bug:          buffer-overflow
Exploitation: local
Date:         04 Apr 2005
Author:       patr0n
              e-mail: patr0n () nm ru
              web:    http://security-tmp.h14.ru

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Aeon is mail relay agent for Linux. It uses only personal configuration 
files, it does not have any support for aliases, groupmail etc. 
No advanced technology included :) It is not a daemon, it just takes 
the message from MUA and relays it to your smtp server. Nothing more, 
nothing less.

#######################################################################

======
2) Bug
======

The application is affected by a buffer-overflow in the function 
getConfig().
This function uses a strcpy() with a local buffer of 512 bytes where
it stores the text from environment HOME.

lib_aeon.c:
//--------------cut------------------

int getConfig(char settings[MAX_SETTINGS][MAX_LEN])
{
        char home[MAX_LEN];
//...................................
strcpy(home, getenv("HOME"));
        
//--------------cut------------------

The result is that an attacker could raise his privileges.

#######################################################################

===========
3) The Code
===========

You can view POC code from 
http://security-tmp.h14.ru/exploits/23laeon.c.txt

#######################################################################

======
4) Fix
======

No fix.

#######################################################################

--- 
patr0n
http://security-tmp.h14.ru