Vulnerability Development mailing list archives
Re: usr/bin/newmail buffer overflow
From: honoriak <EGC () ARGEN NET>
Date: Mon, 12 Feb 2001 23:40:38 +0100
HeliSec - Helios Security and Administration kiss from helisec have been studying this buffer overflow in /usr/bin/newmail and here you can see the conclusion. I found a buffer overflow in /usr/bin/newmail (distributed with elm 2.5
PL3). "newmail is a program to allow monitoring of mailboxes in an
intelligent
fashion" I tested it on my Linux Box (RedHat 6.2) Look at this: #newmail -w AAAA....x 7561 Segmentation Fault (core dumped)
newmail is not setuid so benefit from exploiting it should be null besides, after examining the buffer to overwrite, i noticed it is a global array of 25 structures. this array is accesed many times before returning to main, and this causes the program to core dump before actually jumping to the shellcode. this is strcpy i used: else { /* nope, let's get the basename of the file */ for (cp = name + strlen(name); cp > name && *cp != '/'; cp--) /* backing up a bit... */ ; if (metachar(*cp)) cp++; if (*cp == '/') cp++; strcpy(folders[current_folder].prefix, cp); } _kiss_ HeliSec - Helios Security and Administration
Current thread:
- Re: usr/bin/newmail buffer overflow honoriak (Feb 13)