Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Multiply bugs in MH-6.8.3 (Mail Handler program)
From: shok () COBRA ONLINEX NET (Matt Conover)
Date: Mon, 28 Jul 1997 22:51:48 -0600

No actually you're wrong...there are two different overflows...this is why
I said there are MULTIPLE bugs...I just only mentioned one..because that
one is used no checkmail() and it will be called but there is an
static int  checkmail (user, home, datesw, notifysw, personal)
register char *user, *home;
int     datesw,
    int     mf,
    char    buffer[BUFSIZ];
    struct stat st;

    (void) sprintf (buffer, "%s/%s",
            mmdfldir[0] ? mmdfldir : home,
            mmdflfil[0] ? mmdflfil : user);

The exception is if mmdfldir[0] is true..otherwise this WILL get called
and this is directly in msgchk.c checkmail() NOT in ruserpass.c that is a
completely different overflow

On Mon, 28 Jul 1997 nolander () NOLANDER PP SE wrote:

Okay there is an overflow in MH-6.8.3, which is suid, which I THINK (not
sure), is installed, at least in Redhat 4.1+,  by default (I think this

  char *hdir, buf[BUFSIZ], *tmp;
                                             purposes if you try to
overflow this...just use a size
                                             of 9999, just to see if it

        hdir = getenv("HOME");
        if (hdir == NULL)
                hdir = ".";
        (void) sprintf(buf, "%s/.netrc", hdir);

All this was in ruserpass.c...

ruserpass(host,&user,&pass); is found in msgchk.c, in checkremote() or
something like that... meaning that the host aren't vulnerable if not
configured.. this is from a system where mh was installed w/o being
configured (default)

[nolander () sangis nolander]$ /usr/bin/mh/msgchk -host muroff
msgchk: no servers available

check mana mh-tailor for more info about this server stuff :)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]