[7043] in bugtraq
Re: security hole in mailx
daemon@ATHENA.MIT.EDU (Alvaro Martinez Echevarria)
Fri Jun 26 16:56:58 1998
Date: Fri, 26 Jun 1998 06:12:11 +0200
Reply-To: Alvaro Martinez Echevarria <alvaro@lander.es>
From: Alvaro Martinez Echevarria <alvaro@LANDER.ES>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199806251005.MAA26779@romulus>
On Thu, 25 Jun 1998, Casper Dik wrote:
> It should be noted that homedir itself, at least on Solaris,,
> is a char homedir[PATHSIZE] which is copied from the environment.
> (This never stops to amaze me; why *copy* the result from getenv()?)
> You'd want to fix the overflow of homedir too; looks like there
> are a few other overflows as well.
Under the Linux sources, homedir is a char *, that is malloc'ed
and filled from the environment variable value. A nice way to
waste some CPU, yeah.
By the way, assuming that homedir is a global variable in
Solaris, that could be the reason why the overflow doesn't seem
to reach the stack (such has been reported to me in several
messages). But that may have changed in the last version: a 5.6
mailx with the latest patches applied dies by "Bus Error" (as
reported by Jared Buntain) instead of "Segmentation Fault". I
haven't checked it, but sounds to me like a stack overflow.
> I don't particularly care for arguments as "seem exploitable".
> The homedir data segment buffer overflow may well be exploitable;
> in the Solaris sources, there is at least one other buffer overflow
> on the stack.
Of course, the patch I sent addresses all the buffer overflows I
detected after a quick inspection. Not only the "seems
exploitable" one.
Regards.
.------------------------------------------------------------------.
| Alvaro Mart=EDnez Echevarr=EDa | LANDER SISTEMAS =
|
| alvaro@lander.es | P=BA Castellana, 121 |
`--------------------------------| 28046 Madrid, SPAIN |
| Tel: +34-91-5562883 |
| Fax: +34-91-5563001 |
`---------------------------------'
