Full Disclosure mailing list archives
[RETRO AUDITING] Elm remote buffer overflow in Expires header
From: Ulf Harnhammar <metaur () telia com>
Date: Sat, 20 Aug 2005 13:07:28 +0200
Elm ( http://www.instinct.org/elm/ ) is a console-based e-mail application. It suffers from a remotely exploitable buffer overflow when parsing the Expires header of an e-mail message. The attacker only needs to send the victim an e-mail message. When the victim with that message in his or her inbox starts Elm or simply views the inbox in an already started copy of Elm, the buffer overflow will happen immediately. The overflow is stack-based, and it gives full control over EIP, EBP and EBX. It is caused by a bad sscanf(3) call, using a format string containing "%s" to copy from a long char array to a shorter array. This vulnerability affects at least the versions 2.5 PL7, 2.5 PL6, 2.5 PL5 and possibly others as well. It does not affect Elm ME+ or the newly released Elm 2.5 PL8, available at ftp://ftp.virginia.edu/pub/elm/ . I have attached a patch (against Elm 2.5 PL7) and a test message that exhibits this problem. // Ulf Harnhammar
Attachment:
elm-data.tar.gz
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [RETRO AUDITING] Elm remote buffer overflow in Expires header Ulf Harnhammar (Aug 20)