------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <14008.870179829.1@erehwon.bmc.com>
See attached. Red Hat Linux package mh-6.8.3-13.i386.rpm installs the
inc and msgchk programs as follows:
-rwsr-sr-x- root mail 72628 Oct 17 16:57 /usr/bin/mh/inc
-rwsr-xr-x- root root 52536 Oct 17 16:57 /usr/bin/mh/msgchk
Hal
------- =_aaaaaaaaaa0
Content-Type: message/rfc822
X-Envelope-From: nmh-workers-request@euclid.skiles.gatech.edu Tue Jul 29
03:56:50 1997
Return-Path: <nmh-workers-request@euclid.skiles.gatech.edu>
Received: from almond.bmc.com (almond.bmc.com [172.17.0.100]) by
erehwon.bmc.com (8.8.5/8.8.5) with ESMTP id DAA12260 for
<hdevore@erehwon.bmc.com>; Tue, 29 Jul 1997 03:56:49 -0500
Received: (from uucp@localhost) by almond.bmc.com (8.8.6/8.8.6) id DAA22043
for <hdevore@erehwon.bmc.com>; Tue, 29 Jul 1997 03:56:48 -0500 (CDT)
Received: from euclid.skiles.gatech.edu(130.207.146.50) by almond.bmc.com via
smap (V2.0) id xma022040; Tue, 29 Jul 97 03:56:30 -0500
Received: (from list@localhost) by euclid.skiles.gatech.edu (8.8.5/8.8.5) id
EAA15255; Tue, 29 Jul 1997 04:55:22 -0400 (EDT)
Resent-Date: Tue, 29 Jul 1997 04:55:22 -0400 (EDT)
To: nmh-workers@math.gatech.edu
Organization: IT Vulnerabilities Group, DERA Malvern, UK
Subject: Buffer Overrun in ruserpass() in MH and NMH (fwd)
Date: Tue, 29 Jul 1997 09:55:38 +0100
Message-ID: <9490.870166538@cray.eris.dera.gov.uk>
From: Christopher Samuel <C.Samuel@eris.dera.gov.uk>
Resent-Message-ID: <"g5z9W1.0.Jk3.v_Qtp"@euclid>
Resent-From: nmh-workers@math.gatech.edu
X-Mailing-List: <nmh-workers@math.gatech.edu> archive/latest/503
X-Loop: nmh-workers@math.gatech.edu
Precedence: list
Resent-Sender: nmh-workers-request@math.gatech.edu
-----BEGIN PGP SIGNED MESSAGE-----
This is taken from the bugtraq security mailing list. The original
poster isn''t quite specific enough, the programs that use it are
bbc, inc, mhn, msgchk and popi and are only a security hole
if installed suid (which some are to enable RPOP to work).
I would suggest that nmh should use one of the publically available
snprintf() functions to avoid such overruns in future. Several have
been posted to bugtraq, and I can forward them on if required.
hope this is of some use!
Chris
- --
Christopher Samuel, IT Vulnerabilities Group, C.Samuel@eris.dera.gov.uk
N-115, Defence Research Agency, St Andrews Road, Great Malvern, England, UK
DISCLAIMER: I write only for myself, not for DRA. Phone: +44 1684 894644
+MIME+ +QMAIL+ +PGP+
- ------- Forwarded Messages
Date: Sat, 26 Jul 1997 18:08:00 -0600
Subject: Multiply bugs in MH-6.8.3 (Mail Handler program)
From: Matt Conover <shok@COBRA.ONLINEX.NET>
To: BUGTRAQ@NETSPACE.ORG
Message-ID: <33DA915F.35ED2B71@onlinex.net>
Okay there is an overflow in MH-6.8.3, which is suid, which I THINK (not
sure), is installed, at least in Redhat 4.1+, by default (I think this
is installed within the mail package regardless of distribution, but I
never specifically installed it). This actually has a few overflows (I
haven''t actually tested this but it looks quite obvious,
you''ll have to
test it yourself).
The only one I''m going to describe is the
program''msgchk'', which is suid
(on my server it''s installed by default in /usr/bin/mh/msgchk (in
function checkmail), you would also want to check /usr/lib/mh/msgchk.
(You ought to look through the code yourself..I notice quite a few
bugs..this program relies heavily on buffers and enviromental variables)
This is pretty straight forward.
char *hdir, buf[BUFSIZ], *tmp;
^^^^^^^^ not sure the exact value..check the
*.h files..for test
purposes if you try to
overflow this...just use a size
of 9999, just to see if it
segfaults.
hdir = getenv("HOME");
if (hdir == NULL)
hdir = ".";
(void) sprintf(buf, "%s/.netrc", hdir);
Obviously it never even checks the value of hdir..so export your home
directory to something very large (if this doesn''t work, they still
disobeyed something that libc specifically says not to do...they say to
use (can''t remember the exact function) _secure_getenv,
_securelib_getenv (??) something like that..and they also said NOT to
define it to set the HOME to "." (the current path) for reasons that
someone could link .netrc to something and since it''s suid... test this
yourself..I don''t have too much time
Matt Conover (shok@onlinex.net
- - -- Shok).
- ------- Message 2
Date: Mon, 28 Jul 1997 23:27:48 +0100
Subject: Re: Multiply bugs in MH-6.8.3 (Mail Handler program)
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
To: BUGTRAQ@NETSPACE.ORG
Message-ID: <m0wsyGa-0005FiC@lightning.swansea.linux.org.uk>
> ruserpass(host,&user,&pass); is found in msgchk.c, in checkremote()
or
> something like that... meaning that the host aren''t vulnerable if
not
> configured.. this is from a system where mh was installed w/o being
Also that means ruserpass() from libc isnt being used which is probably
bad as most libc''s have this fixed. (The hole above btw is in all the
old
BSD derived libc''s) but very very few current ones.
- ------- End of Forwarded Messages
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBM92wCFJ7nmUlvnM9AQFKWwP/buGsgRhLy17oyjm6Rh3rIrBNnBW/6XXI
yR842aT05Lb7sARBzAOLhpsl7LtXprJRnR/x5bIb+RvamnamyJqXtnf8xzGjkRP8
vOOhTPMdE+1vhjLecVQ1i4mamqb0VhDqIQpj6Ay7b7UuEWXs/r6QNfmRfgIZLEXF
UFk/ZD3cEpw=1tuN
-----END PGP SIGNATURE-----
------- =_aaaaaaaaaa0--
