Bugtraq mailing list archives
HP-UX 11 elm -s possible local egid mail compromise
From: Flatline <achter05 () IE HVA NL>
Date: Thu, 8 Mar 2001 20:32:23 +0100
- Introduction: HP-UX 11.00 ships with a vulnerable version of the elm MUA, it contains a buffer overflow vulnerability in the -s (subject) argument. I found that version 2.5.0 had the bug fixed so I looked for older versions to check and it seems that the most recent version to contain this bug was 2.5.alpha3. - Platforms: I have only tested this on HP-UX 11.00, although any system shipped with elm-2.5.alpha3 is almost certainly affected by this bug. - Impact: This program is setgid mail, so an attacker could gain egid mail on the system and read/modify other users' mail. - Example: (achter05@oege) /user2/i99/achter05 $ uname -a HP-UX oege B.11.00 D 9000/887 1948791292 64-user license (achter05@oege) /user2/i99/achter05 $ elm -s `perl -e '{print "A"x5376}'` some_recipient Segmentation fault (achter05@oege) /user2/i99/achter05 $ 5376 characters worked for me, you might need a bit more or a bit less to accomplish the same effect on your system. - Problematic code: in args.c, function 'parse_arguments': to_whom[0] = '\0'; batch_subject[0] = '\0'; included_file[0] = '\0'; while ((c = getopt(argc, argv, "?acd:f:hi:kKms:tVvz")) != EOF) { switch (c) { case 'a' : arrow_cursor++; break; case 'c' : check_only++; use_tite = 0; break; case 'd' : debug = atoi(optarg); break; >> case 'f' : strcpy(req_mfile, optarg); break; case '?' : case 'h' : args_help(); >> case 'i' : strcpy(included_file, optarg); break; case 'k' : hp_terminal++; break; case 'K' : hp_terminal++; hp_softkeys++; break; case 'm' : mini_menu = 0; break; >> case 's' : strcpy(batch_subject, optarg); break; case 't' : use_tite = 0; break; case 'V' : sendmail_verbose++; break; case 'v' : args_version(); case 'z' : check_size++; break; } } I've also pointed out other insecure (non-bounds checking) strcpy() calls, but those vulnerabilites have been reported before. I wonder why I haven't been able to come across any advisory on the -s overflow. All vulnerable strcpy() statements copy a user supplied string into a buffer of SLEN (256) bytes. Feeding the argument a string of more than 256 characters in length will crash it. hdrs/defs.h:#define SLEN 256 /* long for ensuring no overwrites... */ It's interesting to see that the author thought his buffers were safe by using a seemingly large buffer length. Another thing that raised my eyebrows was the fact that the '-f' overflow was in fact fixed in this install and the '-i' and '-s' were not (while suffering from the exact same overflow conditions). - Fix: HP-UX 11.00 ships with an older (hacked?) version of the elm MUA so all you'd have to do is download the latest stable version (2.5.3) from: http://www.instinct.org/elm/files/tarballs/elm2.5.3.tar.gz You could also remove the setgid bit and wait for HP to officially issue a patch. - Vendor status: HP has been notified a couple of weeks ago - Shout outs: Greetings fly out to xpc, 84/tcp and #darknet.
Current thread:
- HP-UX 11 elm -s possible local egid mail compromise Flatline (Mar 08)