Vulnerability Development mailing list archives

Re: /usr/bin/Mail buffer 0verfl0w

From: Markus <ml () pixxelfactory net>
Date: Thu, 1 Mar 2001 17:12:06 +0100

Sospiro
Bug the bug is there, a guy called Kengz www.kengz.org
made a exploit time ago.
I tested it against Slackware 7.x | Redhat 6.x | Redhat 7.x | Still works
/*
Slackware 7.1 /usr/bin/Mail Exploit
give gid=1 ( bin )
if /usr/bin/Mail is setgid
but it is not setgid,setuid for default.

tested on my box ( sl 7.1 )
crazy exploited by kengz.


GID.... \x01 = 1 (bin)    ,   \x02 = 2    ,    \x03 = 3 ,   ...
\x0a = 10         \x0b = 11   ....

*/

----- Original Message -----
From: "SosPiro" <sospiro () FREEMAIL IT>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Wednesday, February 28, 2001 8:29 PM
Subject: /usr/bin/Mail buffer 0verfl0w

I found a buffer oveflow in /usr/bin/Mail,it's suid by default on my
Slakware 7.00  K2.2.13
This is the problem:

SunsetZer0:#Mail
Mail version 8.1 6/6/93.      Type ? for help
"/var/spool/mail/root":           2  messages  2  unread

U  1  root                                   Thu Sep  15  02:23

33/1257

"hole in /usr/bin/Mail"
  U  2  sospiro                               Sat Oct    9  18:19

126/6192

"Owned!Owned!"
& t  0 x 2240
0:Invalid   message  number
"Source"  stack  over-pop
Segmentation Fault

sospiro

"ALl We WaNt is T0 bE HapPy"
---------------------------------

Current thread:

/usr/bin/Mail buffer 0verfl0w SosPiro (Mar 01)
- Re: /usr/bin/Mail buffer 0verfl0w Enrique Maglietta (Mar 01)
  - Re: /usr/bin/Mail buffer 0verfl0w syzop (Mar 01)
    - Re: /usr/bin/Mail buffer 0verfl0w Knud Erik Hojgaard - CyberCity Support (Mar 02)
    - Re: /usr/bin/Mail buffer 0verfl0w Knud Erik Hojgaard - CyberCity Support (Mar 02)
    - Re: /usr/bin/Mail buffer 0verfl0w Jan Kluka (Mar 02)
    - Re: /usr/bin/Mail buffer 0verfl0w Lord_Ph@ntom (Mar 06)
    - Re: /usr/bin/Mail buffer 0verfl0w Syzop (Mar 06)
    - Re: /usr/bin/Mail buffer 0verfl0w Maciek Pasternacki (Mar 07)
- Re: /usr/bin/Mail buffer 0verfl0w Markus (Mar 01)
- Re: /usr/bin/Mail buffer 0verfl0w Lukasz Kowalczyk (Mar 01)
- Re: /usr/bin/Mail buffer 0verfl0w K2 (Mar 01)
  - Re: /usr/bin/Mail buffer 0verfl0w BAILLEUX Christophe (Mar 02)
    - Re: /usr/bin/Mail buffer 0verfl0w Joe (Mar 02)
    - Re: /usr/bin/Mail buffer 0verfl0w Blue Boar (Mar 03)
    - Crediting/Communication (Was: Re: [VULN-DEV] /usr/bin/Mail buffer 0verfl0w) Syzop (Mar 03)
- Re: /usr/bin/Mail buffer 0verfl0w BAILLEUX Christophe (Mar 02)
- Re: /usr/bin/Mail buffer 0verfl0w Rasta C. Shell (Mar 02)
- <Possible follow-ups>
- Re: /usr/bin/Mail buffer 0verfl0w Nasko . (Mar 03)
- Re: /usr/bin/Mail buffer 0verfl0w Michel A. S. Pereira - KIDMumU[InTrance] (Mar 04)