Vulnerability Development mailing list archives

Re: /usr/bin/Mail buffer 0verfl0w

From: "Rasta C. Shell" <rasta () RSHELL ORG>
Date: Fri, 2 Mar 2001 19:25:48 +0200

I think is is not exploitable since the buffer can except only chars
in the range of \x30 - \x39. But I haven't looked at the source.


SosPiro <sospiro () FREEMAIL IT> wrote:

I found a buffer oveflow in /usr/bin/Mail,it's suid by default on my
Slakware 7.00  K2.2.13
This is the problem:

SunsetZer0:#Mail
Mail version 8.1 6/6/93.      Type ? for help
"/var/spool/mail/root":           2  messages  2  unread

U  1  root                                   Thu Sep  15  02:23    33/1257

"hole in /usr/bin/Mail"
  U  2  sospiro                               Sat Oct    9  18:19  126/6192
"Owned!Owned!"
& t  0 x 2240
0:Invalid   message  number
"Source"  stack  over-pop
Segmentation Fault

sospiro

"ALl We WaNt is T0 bE HapPy"
---------------------------------


--
http://www.rshell.org
Join #shellcode on EFnet.
rasta () rshell org

Current thread:

Re: /usr/bin/Mail buffer 0verfl0w, (continued)
- - - Re: /usr/bin/Mail buffer 0verfl0w Syzop (Mar 06)
    - Re: /usr/bin/Mail buffer 0verfl0w Maciek Pasternacki (Mar 07)
- Re: /usr/bin/Mail buffer 0verfl0w Markus (Mar 01)
- Re: /usr/bin/Mail buffer 0verfl0w Lukasz Kowalczyk (Mar 01)
- Re: /usr/bin/Mail buffer 0verfl0w K2 (Mar 01)
  - Re: /usr/bin/Mail buffer 0verfl0w BAILLEUX Christophe (Mar 02)
    - Re: /usr/bin/Mail buffer 0verfl0w Joe (Mar 02)
    - Re: /usr/bin/Mail buffer 0verfl0w Blue Boar (Mar 03)
    - Crediting/Communication (Was: Re: [VULN-DEV] /usr/bin/Mail buffer 0verfl0w) Syzop (Mar 03)
- Re: /usr/bin/Mail buffer 0verfl0w BAILLEUX Christophe (Mar 02)
- Re: /usr/bin/Mail buffer 0verfl0w Rasta C. Shell (Mar 02)
- Re: /usr/bin/Mail buffer 0verfl0w Nasko . (Mar 03)
- Re: /usr/bin/Mail buffer 0verfl0w Michel A. S. Pereira - KIDMumU[InTrance] (Mar 04)