|
Vulnerability Development
mailing list archives
Re: /usr/bin/Mail buffer 0verfl0w
From: Markus <ml () pixxelfactory net>
Date: Thu, 1 Mar 2001 17:12:06 +0100
Sospiro
Bug the bug is there, a guy called Kengz www.kengz.org
made a exploit time ago.
I tested it against Slackware 7.x | Redhat 6.x | Redhat 7.x | Still works
/*
Slackware 7.1 /usr/bin/Mail Exploit
give gid=1 ( bin )
if /usr/bin/Mail is setgid
but it is not setgid,setuid for default.
tested on my box ( sl 7.1 )
crazy exploited by kengz.
GID.... \x01 = 1 (bin) , \x02 = 2 , \x03 = 3 , ...
\x0a = 10 \x0b = 11 ....
*/
----- Original Message -----
From: "SosPiro" <sospiro () FREEMAIL IT>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Wednesday, February 28, 2001 8:29 PM
Subject: /usr/bin/Mail buffer 0verfl0w
I found a buffer oveflow in /usr/bin/Mail,it's suid by default on my
Slakware 7.00 K2.2.13
This is the problem:
SunsetZer0:#Mail
Mail version 8.1 6/6/93. Type ? for help
"/var/spool/mail/root": 2 messages 2 unread
U 1 root Thu Sep 15 02:23
33/1257
"hole in /usr/bin/Mail"
U 2 sospiro Sat Oct 9 18:19
126/6192
"Owned!Owned!"
& t 0 x 2240
0:Invalid message number
"Source" stack over-pop
Segmentation Fault
sospiro
"ALl We WaNt is T0 bE HapPy"
---------------------------------
 By Date 
By Thread
Current thread:
Re: /usr/bin/Mail buffer 0verfl0w Markus (Mar 01)
Re: /usr/bin/Mail buffer 0verfl0w Lukasz Kowalczyk (Mar 01)
Re: /usr/bin/Mail buffer 0verfl0w K2 (Mar 01)
| 
Intro
