Re: usr/bin/newmail buffer overflow

[honoriak <EGC () ARGEN NET>]

HeliSec - Helios Security and Administration

kiss from helisec have been studying this buffer overflow in
/usr/bin/newmail and here you can see the conclusion.

 I found a buffer overflow in /usr/bin/newmail (distributed with elm 2.5

> PL3).
> "newmail is a program to allow monitoring of mailboxes in an
intelligent
> fashion"
> I tested it on my Linux Box (RedHat 6.2)
> Look at this:
>
> #newmail -w AAAA....x 7561
> Segmentation Fault (core dumped)

newmail is not setuid so benefit from exploiting it should be null

besides, after examining the buffer to overwrite, i noticed it is a
global
array of 25 structures. this array is accesed many times before
returning to
main, and this causes the program to core dump before actually jumping
to the
shellcode.

this is strcpy i used:

        else {                  /* nope, let's get the basename of the
file */
          for (cp = name + strlen(name); cp > name && *cp != '/'; cp--)
            /* backing up a bit... */ ;

    if (metachar(*cp)) cp++;
    if (*cp == '/') cp++;

    strcpy(folders[current_folder].prefix, cp);
  }


                _kiss_

HeliSec - Helios Security and Administration