HP-UX 11 elm -s possible local egid mail compromise

[Flatline <achter05 () IE HVA NL>]

- Introduction:

HP-UX 11.00 ships with a vulnerable version of the elm MUA, it contains a
buffer overflow
vulnerability in the -s (subject) argument.

I found that version 2.5.0 had the bug fixed so I looked for older versions
to check and
it seems that the most recent version to contain this bug was 2.5.alpha3.


- Platforms:

I have only tested this on HP-UX 11.00, although any system shipped with
elm-2.5.alpha3
is almost certainly affected by this bug.


- Impact:

This program is setgid mail, so an attacker could gain egid mail on the
system and read/modify
other users' mail.


- Example:

(achter05@oege) /user2/i99/achter05 $ uname -a
HP-UX oege B.11.00 D 9000/887 1948791292 64-user license
(achter05@oege) /user2/i99/achter05 $ elm -s `perl -e '{print "A"x5376}'`
some_recipient
Segmentation fault
(achter05@oege) /user2/i99/achter05 $

5376 characters worked for me, you might need a bit more or a bit less to
accomplish the same
effect on your system.


- Problematic code:

in args.c, function 'parse_arguments':

        to_whom[0] = '\0';
        batch_subject[0] = '\0';
        included_file[0] = '\0';

        while ((c = getopt(argc, argv, "?acd:f:hi:kKms:tVvz")) != EOF) {
           switch (c) {
             case 'a' : arrow_cursor++;         break;
             case 'c' : check_only++; use_tite = 0;     break;
             case 'd' : debug = atoi(optarg);   break;
>>           case 'f' : strcpy(req_mfile, optarg);      break;
             case '?' :
             case 'h' : args_help();
>>           case 'i' : strcpy(included_file, optarg);  break;
             case 'k' : hp_terminal++;  break;
             case 'K' : hp_terminal++; hp_softkeys++;   break;
             case 'm' : mini_menu = 0;  break;
>>           case 's' : strcpy(batch_subject, optarg);  break;
             case 't' : use_tite = 0;   break;
             case 'V' : sendmail_verbose++;     break;
             case 'v' : args_version();
             case 'z' : check_size++;   break;
            }
         }

I've also pointed out other insecure (non-bounds checking) strcpy() calls,
but those
vulnerabilites have been reported before. I wonder why I haven't been able
to come across
any advisory on the -s overflow.

All vulnerable strcpy() statements copy a user supplied string into a
buffer of SLEN (256) bytes.
Feeding the argument a string of more than 256 characters in length will
crash it.

hdrs/defs.h:#define SLEN                256         /* long for ensuring no
overwrites... */

It's interesting to see that the author thought his buffers were safe by
using a seemingly large
buffer length. Another thing that raised my eyebrows was the fact that the
'-f' overflow was in fact
fixed in this install and the '-i' and '-s' were not (while suffering from
the exact same
overflow conditions).


- Fix:

HP-UX 11.00 ships with an older (hacked?) version of the elm MUA so all
you'd have to do is download
the latest stable version (2.5.3) from:

http://www.instinct.org/elm/files/tarballs/elm2.5.3.tar.gz

You could also remove the setgid bit and wait for HP to officially issue a
patch.


- Vendor status:

HP has been notified a couple of weeks ago


- Shout outs:

Greetings fly out to xpc, 84/tcp and #darknet.