Vulnerability Development mailing list archives
Re: /usr/bin/elm buffer overflow
From: "Rasta C. Shell" <rasta () RSHELL ORG>
Date: Sun, 11 Feb 2001 00:13:36 +0200
This is from init.c: if (getuid() != geteuid() && !allow_setuid) { fprintf(stderr, catgets(elm_msg_cat, ElmSet, ElmInstalledSetuid, "\n\ This version of Elm has been installed setuid=%d. This is dangerous!\n\ Elm is NOT designed to run in this mode, and to do so can introduce\n\ grave security hazards. See the description of \"allow_setuid\" in the\n\ Elm Reference Guide for further information.\n\n"), geteuid()); exit(1); }
From the Ref guide:
allow_setuid The default value is OFF, and you almost certainly should not change it. This variable is valid only in the system-wide elm.rc file. Normally, when Elm starts up, it verifies that it has not been installed with setuid privileges. If the check fails, it displays an error and terminates. This check is performed because many people, when encountering configuration or installation problems (particularly locking problems), simply install Elm setuid=root rather than fixing the problem. This can create a significant security hazard. If you insist on running Elm in this configuration, you may bypass the check by turning this setting ON. (But then don't say we didn't warn you.) I do have a question thought. Elm default instalation is mode 2755. Is an exploitable sgid file can be use to gain any higher access ? -rasta SadBOy <sadb () FREEMAIL IT> wrote:
I found a buffer overflow in /usr/bin/elm (version 2.5 PL3) "Elm is an interactive screen-oriented mailer program that supersedes mail and mailx.." I tested it on my Linux Box (RedHat 6.2) Look at this: #elm -f AAA...x 260 Segmentation Fault (core dumped) sospiro
-- http://www.rshell.org Join #shellcode on EFnet. rasta () rshell org
Current thread:
- /usr/bin/elm buffer overflow SadBOy (Feb 10)
- Re: /usr/bin/elm buffer overflow Rasta C. Shell (Feb 10)
- Re: /usr/bin/elm buffer overflow visi0n (Feb 10)