Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: /usr/bin/Mail buffer 0verfl0w

From: Knud Erik Hojgaard - CyberCity Support <kain () PERKER DK>
Date: Fri, 2 Mar 2001 10:29:55 +0100
redhat 6.0 runs with same version of mail, and with the same result. so does
redhat 6.2.

Med venlig hilsen

Knud Erik Hojgaard <knud () cybercity dk>
Cybercity Erhvervssupport <support () erhverv cybercity dk>
http://www.cybercity.dk/support
Tlf 33 98 30 60
|-- Jesus saves, but only Buddha makes incremental backups --|

-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
syzop
Sent: 2. marts 2001 03:48
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: /usr/bin/Mail buffer 0verfl0w


Enrique Maglietta wrote:


& t  0 x 2240
0:Invalid   message  number
"Source"  stack  over-pop
Segmentation Fault



I'm test on a SuSE 7.0 , and there is no problem

& t 0x2240
0: Invalid message number
& t 0 x 2240
0: Invalid message number
&


SosPiro should have explained it better,
When somebody says
& t 0 x 2240
not everybody understands you are sending 2240 zero's,
it is better to write something like:
& t [2240x'0']
which is often used :)

Anyway... Tested here with Debian 2.2:
Mail version 8.1 6/6/93.  Type ? for help.
-- snip --
& t 0x2240
0: Invalid message number
& t 0 x 2240
0: Invalid message number
& t 0000000000000000[etc (2300 times)]
0: Invalid message number
"Source" stack over-pop.
Segmentation fault

That's the latest version (I've verified my version with the latest version
available at debians website).

Also, Markus wrote:

Bug the bug is there, a guy called Kengz www.kengz.org
made a exploit time ago.

My nameserver says (www.)kengz.org doesn't exist so I couldn't verify :(.


if /usr/bin/Mail is setgid
but it is not setgid,setuid for default.

it is sgid mail on Debian, so if this is exploitable... :)

Cya

    Syzop.
Previous By Date Next
Previous By Thread Next

Current thread: