Date: Thu, 8 Mar 2001 20:32:23 +0100
From: Flatline <[email protected]>
To: [email protected]Subject: HP-UX 11 elm -s possible local egid mail compromise
- Introduction:
HP-UX 11.00 ships with a vulnerable version of the elm MUA, it contains a
buffer overflow
vulnerability in the -s (subject) argument.
I found that version 2.5.0 had the bug fixed so I looked for older versions
to check and
it seems that the most recent version to contain this bug was 2.5.alpha3.
- Platforms:
I have only tested this on HP-UX 11.00, although any system shipped with
elm-2.5.alpha3
is almost certainly affected by this bug.
- Impact:
This program is setgid mail, so an attacker could gain egid mail on the
system and read/modify
other users' mail.
- Example:
(achter05@oege) /user2/i99/achter05 $ uname -a
HP-UX oege B.11.00 D 9000/887 1948791292 64-user license
(achter05@oege) /user2/i99/achter05 $ elm -s `perl -e '{print "A"x5376}'`
some_recipient
Segmentation fault
(achter05@oege) /user2/i99/achter05 $
5376 characters worked for me, you might need a bit more or a bit less to
accomplish the same
effect on your system.
- Problematic code:
in args.c, function 'parse_arguments':
to_whom[0] = '\0';
batch_subject[0] = '\0';
included_file[0] = '\0';
while ((c = getopt(argc, argv, "?acd:f:hi:kKms:tVvz")) != EOF) {
switch (c) {
case 'a' : arrow_cursor++; break;
case 'c' : check_only++; use_tite = 0; break;
case 'd' : debug = atoi(optarg); break;
>> case 'f' : strcpy(req_mfile, optarg); break;
case '?' :
case 'h' : args_help();
>> case 'i' : strcpy(included_file, optarg); break;
case 'k' : hp_terminal++; break;
case 'K' : hp_terminal++; hp_softkeys++; break;
case 'm' : mini_menu = 0; break;
>> case 's' : strcpy(batch_subject, optarg); break;
case 't' : use_tite = 0; break;
case 'V' : sendmail_verbose++; break;
case 'v' : args_version();
case 'z' : check_size++; break;
}
}
I've also pointed out other insecure (non-bounds checking) strcpy() calls,
but those
vulnerabilites have been reported before. I wonder why I haven't been able
to come across
any advisory on the -s overflow.
All vulnerable strcpy() statements copy a user supplied string into a
buffer of SLEN (256) bytes.
Feeding the argument a string of more than 256 characters in length will
crash it.
hdrs/defs.h:#define SLEN 256 /* long for ensuring no
overwrites... */
It's interesting to see that the author thought his buffers were safe by
using a seemingly large
buffer length. Another thing that raised my eyebrows was the fact that the
'-f' overflow was in fact
fixed in this install and the '-i' and '-s' were not (while suffering from
the exact same
overflow conditions).
- Fix:
HP-UX 11.00 ships with an older (hacked?) version of the elm MUA so all
you'd have to do is download
the latest stable version (2.5.3) from:
http://www.instinct.org/elm/files/tarballs/elm2.5.3.tar.gz
You could also remove the setgid bit and wait for HP to officially issue a
patch.
- Vendor status:
HP has been notified a couple of weeks ago
- Shout outs:
Greetings fly out to xpc, 84/tcp and #darknet.
