Bugtraq mailing list archives
Re: a few bugs ...
From: lcamtuf () DIONE IDS PL (Michal Zalewski)
Date: Fri, 17 Mar 2000 10:07:45 +0100
On Mon, 13 Mar 2000, Maurycy Prodeus wrote:
1. In "Lotus Notes POP 1.0X" on NT platform. I'm not really sure ... if you send a very long username ( about 2kb ) it disconnects without any message. So it looks like classic buffer overflow :) I don't have enough time to check it ( to download this packet :) )
Have you noticed GPF popup or BSOD on this Windows box? Anyone may confirm this?
2. Mail agent programs like: standard ;P 'mail' from Berkeley Distribution or mutt, elm perhaps other :), use sendmail arguments to put email adress where luser wants to send mail. It's similar problem to crontab's or lpd's bugs. Example: if you put line with Reply-To: -X /dev/hda1 ;P or something like that :> to mail message and luser ( in this case root ) stupid pushes OK,OK,OK :) ( ofz he'd want to reply ) it may write/destroy file ( /dev/hda1 :] ). I know it isn't good example but I only wanted to show idea...
AFAIK most of mailers calls Sendmail with -bs (start in SMTP emulation mode) or -t (scan headers for recipients) parameter. This is true eg. for pine, mutt seems to be not vulnerable as well. Linux /bin/mail seems to behave correctly, as well.
3. ntalkd from redhat distri or debian... in old version ( <=5.2rh and <=2.0db) (I don't want to be wrong so I will not write it's version - aleph bounced;P sic! ) it's known and patched but there wasn't official post and it may be dangerous. There is fprintf() without format. Another hard to exploit bug :)
Aham. According to ChangeLog:
26-Nov-1998:
Fixed bug: the talkd announce message is passed as the format
string to fprintf, so if it has %'s in it, we probably crash.
Announce message (assembled in ntalkd/announce.c) contains remote username
and remote hostname information, as well as some hardcoded texts like
"Talk request from...". Take a note - we're talking about fprintf, so,
assuming there's no interesting data in daemon address space (I don't
think so - it is not performing any authorization, etc, only reads utmp
entries), I don't think it might lead to anything except crash. And, as
it's started from inetd, I don't think it might have any security
implications ;)
Btw. Aleph, some time ago I described proftpd crash problem with LIST
parameter. Instead of playing with FUD, I've done some debugging and
realized it won't be _probably_ exploitable. As the result, you bounced
this post, but approved this one - for sure overFUDed ;>
_______________________________________________________
Michal Zalewski * [lcamtuf () ags pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
Current thread:
- RealPlayer and Comet Cursor, (continued)
- RealPlayer and Comet Cursor Keela Robison (Mar 09)
- Fwd: ircii-4.4 buffer overflow bladi (Feb 07)
- Re: Fwd: ircii-4.4 buffer overflow Derek Callaway (Mar 11)
- Re: RealPlayer and Comet Cursor pedward () WEBCOM COM (Mar 09)
- The Comet Cursor Sarah MacArthur (Mar 09)
- Network File Resource Vulnerability Eric Hacker (Mar 09)
- Re: Network File Resource Vulnerability David LeBlanc (Mar 11)
- misc. cross site scripting issues Marc Slemko (Mar 12)
- a few bugs ... Maurycy Prodeus (Mar 13)
- Re: a few bugs ... Thomas Roessler (Mar 15)
- Re: a few bugs ... Michal Zalewski (Mar 17)
- Patch: ip_masq_ftp / Linux 2.2.x (extended FTP ALG vulnerabilty) Bjarni R. Einarsson (Mar 20)
- Microsoft Security Bulletin (MS00-018 Microsoft Product Security (Mar 20)
- Re: a few bugs ... Coke (Mar 20)
- Re: a few bugs ... Daniel Jacobowitz (Mar 20)
- Re: a few bugs ... Michal Zalewski (Mar 20)
- RealPlayer and Comet Cursor Keela Robison (Mar 09)
- DoS with NAVIEG PAUL VanDyke (Mar 17)
- [ANNOUNCE] strace for NT tsabin () RAZOR BINDVIEW COM (Mar 13)
- Linux patch for blocking buffer overflow based attacks massimo () IAC RM CNR IT (Mar 10)
- ICQ remote DoS Philip Stoev (Mar 10)