Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Multiply bugs in MH-6.8.3 (Mail Handler program)
From: shok () COBRA ONLINEX NET (Matt Conover)
Date: Mon, 28 Jul 1997 22:51:48 -0600


No actually you're wrong...there are two different overflows...this is why
I said there are MULTIPLE bugs...I just only mentioned one..because that
one is used no checkmail() and it will be called but there is an
exception:
static int  checkmail (user, home, datesw, notifysw, personal)
register char *user, *home;
int     datesw,
        notifysw,
        personal;
{
    int     mf,
            status;
    char    buffer[BUFSIZ];
    struct stat st;

    (void) sprintf (buffer, "%s/%s",
            mmdfldir[0] ? mmdfldir : home,
            mmdflfil[0] ? mmdflfil : user);

The exception is if mmdfldir[0] is true..otherwise this WILL get called
and this is directly in msgchk.c checkmail() NOT in ruserpass.c that is a
completely different overflow

On Mon, 28 Jul 1997 nolander () NOLANDER PP SE wrote:

Okay there is an overflow in MH-6.8.3, which is suid, which I THINK (not
sure), is installed, at least in Redhat 4.1+,  by default (I think this

  char *hdir, buf[BUFSIZ], *tmp;
                                             purposes if you try to
overflow this...just use a size
                                             of 9999, just to see if it
segfaults.

        hdir = getenv("HOME");
        if (hdir == NULL)
                hdir = ".";
        (void) sprintf(buf, "%s/.netrc", hdir);

All this was in ruserpass.c...

ruserpass(host,&user,&pass); is found in msgchk.c, in checkremote() or
something like that... meaning that the host aren't vulnerable if not
configured.. this is from a system where mh was installed w/o being
configured (default)

[nolander () sangis nolander]$ /usr/bin/mh/msgchk -host muroff
msgchk: no servers available

check mana mh-tailor for more info about this server stuff :)




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]