[285] in Best-of-Security
BoS: Multiply bugs in MH-6.8.3 (Mail Handler program)
daemon@ATHENA.MIT.EDU (Darren Reed)
Tue Jul 29 12:37:50 1997
From: Darren Reed <darrenr@cyber.com.au>
Date: Tue, 29 Jul 1997 02:15:39 +1000 (EST)
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
> Message-Id: <33DA915F.35ED2B71@onlinex.net>
> Date: Sat, 26 Jul 1997 18:08:00 -0600
> Reply-To: Matt Conover <shok@COBRA.ONLINEX.NET>
> From: Matt Conover <shok@COBRA.ONLINEX.NET>
> Organization: JaNova
> Subject: Multiply bugs in MH-6.8.3 (Mail Handler program)
> To: BUGTRAQ@NETSPACE.ORG
>
> Okay there is an overflow in MH-6.8.3, which is suid, which I THINK (not
> sure), is installed, at least in Redhat 4.1+, by default (I think this
> is installed within the mail package regardless of distribution, but I
> never specifically installed it). This actually has a few overflows (I
> haven't actually tested this but it looks quite obvious, you'll have to
> test it yourself).
>
>
> The only one I'm going to describe is the program'msgchk', which is suid
> (on my server it's installed by default in /usr/bin/mh/msgchk (in
> function checkmail), you would also want to check /usr/lib/mh/msgchk.
> (You ought to look through the code yourself..I notice quite a few
> bugs..this program relies heavily on buffers and enviromental variables)
>
> This is pretty straight forward.
> char *hdir, buf[BUFSIZ], *tmp;
> ^^^^^^^^ not sure the exact value..check the
> *.h files..for test
> purposes if you try to
> overflow this...just use a size
> of 9999, just to see if it
> segfaults.
>
> hdir = getenv("HOME");
> if (hdir == NULL)
> hdir = ".";
> (void) sprintf(buf, "%s/.netrc", hdir);
>
> Obviously it never even checks the value of hdir..so export your home
> directory to something very large (if this doesn't work, they still
> disobeyed something that libc specifically says not to do...they say to
> use (can't remember the exact function) _secure_getenv,
> _securelib_getenv (??) something like that..and they also said NOT to
> define it to set the HOME to "." (the current path) for reasons that
> someone could link .netrc to something and since it's suid... test this
> yourself..I don't have too much time
>
> Matt Conover (shok@onlinex.net
> -- Shok).
