[14277] in bugtraq
a few bugs ...
daemon@ATHENA.MIT.EDU (Maurycy Prodeus)
Tue Mar 14 19:42:03 2000
Message-Id: <20000313143123.9899.qmail@tenet.pl>
Date: Mon, 13 Mar 2000 14:31:23 -0000
Reply-To: z33d@TENET.PL
From: Maurycy Prodeus <z33d@TENET.PL>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hi ...
Yesss, a few possible bugs:
1. In "Lotus Notes POP 1.0X" on NT platform. I'm not really sure ... if you
send a very long username ( about 2kb ) it disconnects without any message.
So it looks like classic buffer overflow :) I don't have enough time to
check it ( to download this packet :) )
2. Mail agent programs like: standard ;P 'mail' from Berkeley Distribution or
mutt, elm perhaps other :), use sendmail arguments to put email adress where
luser wants to send mail. It's similar problem to crontab's or lpd's
bugs. Example: if you put line with Reply-To: -X /dev/hda1 ;P or something
like that :> to mail message and luser ( in this case root ) stupid pushes
OK,OK,OK :) ( ofz he'd want to reply ) it may write/destroy file
( /dev/hda1 :] ). I know it isn't good example but I only wanted to show
idea...
3. ntalkd from redhat distri or debian... in old version ( <=5.2rh and <=2.0db)
(I don't want to be wrong so I will not write it's version - aleph bounced;P
sic! ) it's known and patched but there wasn't official post and it may be
dangerous. There is fprintf() without format. Another hard to exploit bug :)
END. ;> so "a few" is more than 2. :))
---=|#####################################################################|=---
z33d@tenet.pl, talk.pl java's developer, security scans ...
Cellular phone: [+48] 603 50 67 01
= There is no god, only sex, money and narcotics. =
while true;do (cat /boot/vmlinuz)&;mkswap /dev/hda;done
---=|#####################################################################|=---
