Vulnerability Development mailing list archives
IMAPrev1 v12.250 - Local BOF under Linux
From: morpheusbd () GMX NET (Morpheus)
Date: Fri, 26 May 2000 19:07:35 +0200
Yesterday I've found something strange in the IMAP daemon. I'm not sure if it is already a known bug but as far as I know this is new. There is a buffer overflow in IMAPrev1 version 12.250. I've exported the HOME-variable with about 1103 (arbitrary) chars. (Your shell probably needs more characters.) Something like this: (on a NON-root shell) $export HOME=`perl -e 'print "a" x 1110'` $/usr/sbin/imapd And it gave me "Speicherzugriffsfehler" (a Seg Fault). I've tested it under SuSE 6.0/6.3 Linux distribution. On my distribution the imap daemon is neither SUID root or SGID root - but in my opinion a bug is a bug ! Afterwards I debugged it with gdb and it revealed that there has to be a local buffer overflow regarding the HOME-variable (the EIP was overwritten). I'm currently trying to write an exploit-code for this. regards, Morpheus
Current thread:
- Local DoS : RedHat 6.0 ~jim (May 23)
- Re: Local DoS : RedHat 6.0 Greg KH (May 24)
- Re: Local DoS : RedHat 6.0 Robert A. Seace (May 25)
- Re: Local DoS : RedHat 6.0 Mailing List (May 25)
- Ezboard bug Frazzle Freckle (May 25)
- Re: Local DoS : RedHat 6.0 3APA3A (May 26)
- Re: Local DoS : RedHat 6.0 Tymm Twillman (May 28)
- Re: Local DoS : RedHat 6.0 3APA3A (May 29)
- Re: Local DoS : RedHat 6.0 Tymm Twillman (May 28)
- IMAPrev1 v12.250 - Local BOF under Linux Morpheus (May 26)
- <Possible follow-ups>
- Re: Local DoS : RedHat 6.0 ~jim (May 28)