Re: /usr/bin/elm buffer overflow

["Rasta C. Shell" <rasta () RSHELL ORG>]

This is from init.c:
    if (getuid() != geteuid() && !allow_setuid) {
        fprintf(stderr, catgets(elm_msg_cat, ElmSet, ElmInstalledSetuid,
"\n\
This version of Elm has been installed setuid=%d.  This is dangerous!\n\
Elm is NOT designed to run in this mode, and to do so can introduce\n\
grave security hazards.  See the description of \"allow_setuid\" in the\n\
Elm Reference Guide for further information.\n\n"),
                geteuid());
        exit(1);
    }

> From the Ref guide:
allow_setuid
The default value is OFF, and you almost certainly should not
change it.  This variable is valid only in the system-wide elm.rc
file.  Normally, when Elm starts up, it verifies that it has not
been installed with setuid privileges.  If the check fails, it
displays an error and terminates.  This check is performed because
many people, when encountering configuration or installation problems
(particularly locking problems), simply install Elm setuid=root
rather than fixing the problem.  This can create a significant security
hazard.  If you insist on running Elm in this configuration, you may
bypass the check by turning this setting ON.  (But then don't say we
didn't warn you.)


I do have a question thought. Elm default instalation is mode 2755.
Is an exploitable sgid file can be use to gain any higher access ?


-rasta


SadBOy <sadb () FREEMAIL IT> wrote:
> I found a buffer overflow in /usr/bin/elm (version 2.5 PL3)
> "Elm is an interactive screen-oriented mailer program that supersedes mail
> and mailx.."
> I tested it on my Linux Box (RedHat 6.2)
> Look at this:
>
> #elm -f  AAA...x 260
> Segmentation Fault (core dumped)
>
> sospiro

--
http://www.rshell.org
Join #shellcode on EFnet.
rasta () rshell org