Vulnerability Development mailing list archives
exim and ip options?
From: Magosányi Árpád <mag () BUNUEL TII MATAV HU>
Date: Thu, 11 Jan 2001 04:51:34 +0100
Hi! I have found some very interesting code in exim. (it is at least in 3.12 - 3.20) src/smtp_in.c, in function smtp_start_session(), when it handles ip options: default: { int i; strcat(p, "["); p += 2; for (i = 0; i < opt[1]; i++) { sprintf(p, "%2.2x ", opt[i]); p += 3; } *p++ = ']'; } opt += opt[1]; break; } } p is a pointer (initially) inside a "big" buffer with length of 1024. It seems to be a nice opportunity for a buffer overrun, minus it is on heap and very limited in the useable opcodes. I am not able to write an exploit, or even to confirm the exploitability of such a code. Any ideas? Please cc: me as I am not on the list. -- GNU GPL: csak tiszta forrásból
Current thread:
- exim and ip options? Magosányi Árpád (Jan 11)