SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Elm Vendors:   HPE
HP-UX Ships With A Vulnerable Version of the Elm Mail Client That May Allow Access to the Mail of Other Users
SecurityTracker Alert ID:  1001055
SecurityTracker URL:  http://securitytracker.com/id/1001055
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 10 2001
Impact:   User access via local system
Exploit Included:  Yes  
Version(s): HP-UX 11.00; possibly others
Description:   HP-UX 11.00 reportedly ships with a vulnerable version of the elm mail client which contains a buffer overflow vulnerability. This could allow a local user to obtain read or modify access to other users' mail.

The affected elm mail client (2.5.alpha3) contains a buffer overflow vulnerability in the -s (subject) argument. Because elm sets its group id to "mail" upon execution, an authorized local user could use this vulnerability to obtain effective group id privileges for the group "mail" and, as a result, could read or modify other users' mail.

Version 2.5.0 appears to have the bug fixed.

Impact:   Because this program sets its group id to "mail", an authorized local user could use this vulnerability to obtain effective group id privileges for the group "mail" and read or modify other users' mail.
Solution:   Elm 2.5.0 appears to not be vulnerable to this problem
Vendor URL:  www.hp.com (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (HP/UX)
Underlying OS Comments:  possibly other OSs with elm-2.5.alpha3

Message History:   None.


 Source Message Contents

Subject:  HP-UX 11 elm -s possible local egid mail compromise


- Introduction:

HP-UX 11.00 ships with a vulnerable version of the elm MUA, it contains a
buffer overflow
vulnerability in the -s (subject) argument.

I found that version 2.5.0 had the bug fixed so I looked for older versions
to check and
it seems that the most recent version to contain this bug was 2.5.alpha3.


- Platforms:

I have only tested this on HP-UX 11.00, although any system shipped with
elm-2.5.alpha3
is almost certainly affected by this bug.


- Impact:

This program is setgid mail, so an attacker could gain egid mail on the
system and read/modify
other users' mail.


- Example:

(achter05@oege) /user2/i99/achter05 $ uname -a
HP-UX oege B.11.00 D 9000/887 1948791292 64-user license
(achter05@oege) /user2/i99/achter05 $ elm -s `perl -e '{print "A"x5376}'`
some_recipient
Segmentation fault
(achter05@oege) /user2/i99/achter05 $

5376 characters worked for me, you might need a bit more or a bit less to
accomplish the same
effect on your system.


- Problematic code:

in args.c, function 'parse_arguments':

         to_whom[0] = '\0';
         batch_subject[0] = '\0';
         included_file[0] = '\0';

         while ((c = getopt(argc, argv, "?acd:f:hi:kKms:tVvz")) != EOF) {
            switch (c) {
              case 'a' : arrow_cursor++;         break;
              case 'c' : check_only++; use_tite = 0;     break;
              case 'd' : debug = atoi(optarg);   break;
 >>           case 'f' : strcpy(req_mfile, optarg);      break;
              case '?' :
              case 'h' : args_help();
 >>           case 'i' : strcpy(included_file, optarg);  break;
              case 'k' : hp_terminal++;  break;
              case 'K' : hp_terminal++; hp_softkeys++;   break;
              case 'm' : mini_menu = 0;  break;
 >>           case 's' : strcpy(batch_subject, optarg);  break;
              case 't' : use_tite = 0;   break;
              case 'V' : sendmail_verbose++;     break;
              case 'v' : args_version();
              case 'z' : check_size++;   break;
             }
          }

I've also pointed out other insecure (non-bounds checking) strcpy() calls,
but those
vulnerabilites have been reported before. I wonder why I haven't been able
to come across
any advisory on the -s overflow.

All vulnerable strcpy() statements copy a user supplied string into a
buffer of SLEN (256) bytes.
Feeding the argument a string of more than 256 characters in length will
crash it.

hdrs/defs.h:#define SLEN                256         /* long for ensuring no
overwrites... */

It's interesting to see that the author thought his buffers were safe by
using a seemingly large
buffer length. Another thing that raised my eyebrows was the fact that the
'-f' overflow was in fact
fixed in this install and the '-i' and '-s' were not (while suffering from
the exact same
overflow conditions).


- Fix:

HP-UX 11.00 ships with an older (hacked?) version of the elm MUA so all
you'd have to do is download
the latest stable version (2.5.3) from:

http://www.instinct.org/elm/files/tarballs/elm2.5.3.tar.gz

You could also remove the setgid bit and wait for HP to officially issue a
patch.


- Vendor status:

HP has been notified a couple of weeks ago


- Shout outs:

Greetings fly out to xpc, 84/tcp and #darknet.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC