|
Vulnerability Development
mailing list archives
Re: /usr/bin/Mail buffer 0verfl0w
From: Knud Erik Hojgaard - CyberCity Support <kain () PERKER DK>
Date: Fri, 2 Mar 2001 10:29:55 +0100
redhat 6.0 runs with same version of mail, and with the same result. so does
redhat 6.2.
Med venlig hilsen
Knud Erik Hojgaard <knud () cybercity dk>
Cybercity Erhvervssupport <support () erhverv cybercity dk>
http://www.cybercity.dk/support
Tlf 33 98 30 60
|-- Jesus saves, but only Buddha makes incremental backups --|
-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
syzop
Sent: 2. marts 2001 03:48
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: /usr/bin/Mail buffer 0verfl0w
Enrique Maglietta wrote:
& t 0 x 2240
0:Invalid message number
"Source" stack over-pop
Segmentation Fault
I'm test on a SuSE 7.0 , and there is no problem
& t 0x2240
0: Invalid message number
& t 0 x 2240
0: Invalid message number
&
SosPiro should have explained it better,
When somebody says
& t 0 x 2240
not everybody understands you are sending 2240 zero's,
it is better to write something like:
& t [2240x'0']
which is often used :)
Anyway... Tested here with Debian 2.2:
Mail version 8.1 6/6/93. Type ? for help.
-- snip --
& t 0x2240
0: Invalid message number
& t 0 x 2240
0: Invalid message number
& t 0000000000000000[etc (2300 times)]
0: Invalid message number
"Source" stack over-pop.
Segmentation fault
That's the latest version (I've verified my version with the latest version
available at debians website).
Also, Markus wrote:
Bug the bug is there, a guy called Kengz www.kengz.org
made a exploit time ago.
My nameserver says (www.)kengz.org doesn't exist so I couldn't verify :(.
if /usr/bin/Mail is setgid
but it is not setgid,setuid for default.
it is sgid mail on Debian, so if this is exploitable... :)
Cya
Syzop.
 By Date 
By Thread
Current thread:
| 
Intro
