[5045] in bugtraq
Re: Multiply bugs in MH-6.8.3 (Mail Handler program)
daemon@ATHENA.MIT.EDU (Matt Conover)
Tue Jul 29 14:32:57 1997
Date: Mon, 28 Jul 1997 22:51:48 -0600
Reply-To: Matt Conover <shok@COBRA.ONLINEX.NET>
From: Matt Conover <shok@COBRA.ONLINEX.NET>
X-To: nolander@NOLANDER.PP.SE
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.970728213220.12203A-100000@nis.ml.org>
No actually you're wrong...there are two different overflows...this is why
I said there are MULTIPLE bugs...I just only mentioned one..because that
one is used no checkmail() and it will be called but there is an
exception:
static int checkmail (user, home, datesw, notifysw, personal)
register char *user, *home;
int datesw,
notifysw,
personal;
{
int mf,
status;
char buffer[BUFSIZ];
struct stat st;
(void) sprintf (buffer, "%s/%s",
mmdfldir[0] ? mmdfldir : home,
mmdflfil[0] ? mmdflfil : user);
The exception is if mmdfldir[0] is true..otherwise this WILL get called
and this is directly in msgchk.c checkmail() NOT in ruserpass.c that is a
completely different overflow
On Mon, 28 Jul 1997 nolander@NOLANDER.PP.SE wrote:
> > Okay there is an overflow in MH-6.8.3, which is suid, which I THINK (not
> > sure), is installed, at least in Redhat 4.1+, by default (I think this
>
> > char *hdir, buf[BUFSIZ], *tmp;
> > purposes if you try to
> > overflow this...just use a size
> > of 9999, just to see if it
> > segfaults.
> >
> > hdir = getenv("HOME");
> > if (hdir == NULL)
> > hdir = ".";
> > (void) sprintf(buf, "%s/.netrc", hdir);
>
> All this was in ruserpass.c...
>
> ruserpass(host,&user,&pass); is found in msgchk.c, in checkremote() or
> something like that... meaning that the host aren't vulnerable if not
> configured.. this is from a system where mh was installed w/o being
> configured (default)
>
> [nolander@sangis nolander]$ /usr/bin/mh/msgchk -host muroff
> msgchk: no servers available
>
> check mana mh-tailor for more info about this server stuff :)
>
