Vulnerability Development mailing list archives
sendmail ;o)
From: sgp () TELSATGP COM PL (Slawek)
Date: Wed, 12 Jul 2000 11:54:01 +0200
Hello, Well, I would be gracefull if somebody can tell me if I'm correct in this simple analise In fact I've started from checking source code of finger on Open BSD 2.7 and I've found there an interesting function (in util.c) called expandusername. This function is probably broken and could be exploited if were invoked with small output buffer - fortunatelly this buffer is always 1024 long and this is too long to be overflowed ;) (user names are limited to 8 chars there) But .. after a while I've decided to follow the line /* inspired by usr.sbin/sendmail/util.c::buildfname */ and check how it is invoked in sendmail ;) (I'm not using sendmail but .. just curious) The function (in sendmail 8.10.1, not sure about the other versions) looks like this: ---- start ---- void buildfname(gecos, user, buf, buflen) register char *gecos; char *user; char *buf; int buflen; { register char *p; register char *bp = buf; if (*gecos == '*') gecos++; /* copy gecos, interpolating & to be full name */ for (p = gecos; *p != '\0' && *p != ',' && *p != ';' && *p != '%'; p++) { if (bp >= &buf[buflen - 1]) { /* buffer overflow -- just use login name */ snprintf(buf, buflen, "%s", user); return; } if (*p == '&') { /* interpolate full name */ snprintf(bp, buflen - (bp - buf), "%s", user); *bp = toupper(*bp); bp += strlen(bp); } else *bp++ = *p; } *bp = '\0'; } ---- end ---- Well it's about the same like in finger - even "better" ;) .. snprintf does not null terminate :) This time it is invoked with destination buffer of MAXNAME+1 (256+1) bytes in function called "recipient" .. and in "finduser" .. and in some more places .. The trick is to use _many_ &'s in user name (chfn allows normal users to do this on themselves) After this snprintf will not null terminate and data following just after the buffer will get "toupper'd". Are there pointers following output buffers ? :)) Unfortunatelly I've got no time to do some more investigation, but it looks like local user could change his username to do some "strange" things in sendmail ;) I'm not sure if it's exploitable in any way. I'm almost sure attacker could locally segfault sendmail by changing his own username and sending an email to himself, but don't know if something more is possible. Well, in fact I didn't even check if this code is invoked with UID=0. I hope somebody has got more time and would like to play with it :)) Bye, Slawek
Current thread:
- sendmail ;o) Slawek (Jul 12)
- Re: sendmail ;o) Daniel Jacobowitz (Jul 12)
- Re: sendmail ;o) Slawek (Jul 13)
- Re: sendmail ;o) Gregory Neil Shapiro (Jul 16)
- Re: sendmail ;o) Kev (Jul 17)
- Re: sendmail ;o) Slawek (Jul 13)
- Re: sendmail ;o) Kev (Jul 13)
- Re: sendmail ;o) Daniel Jacobowitz (Jul 12)