SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Bulk Mailer Vendors:   Moore, Keith
Bulk Mailer Software Buffer Overflow and Race Condition May Let Local Users Obtain Root Level Access
SecurityTracker Alert ID:  1003993
SecurityTracker URL:  http://securitytracker.com/id/1003993
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 8 2002
Impact:   Modification of system information, Root access via local system
Vendor Confirmed:  Yes  
Version(s): 1.13
Description:   Several vulnerabilities were reported in the 'Bulk Mailer' software. A local user could obtain root level access on the system.

It is reported that the software contains multiple flaws, including an off by one error, a buffer overflow when appending the local domain, and a /tmp file race condition.

Impact:   A local user may be able to modify files with root level privileges, gaining root level access on the system.
Solution:   An unofficial patch is available in the Source Message. There was no official patch available at the time of this entry.
Vendor URL:  freshmeat.net/projects/bulkmailer/?topic_id=30%2C32 (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Security problems with bulk_mailer 1.13


http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=112007

Message received at submit@bugs.debian.org:


Received: (at submit) by bugs.debian.org; 11 Sep 2001 16:04:05 +0000
From jgoerzen@complete.org Tue Sep 11 11:04:05 2001
Return-path: <jgoerzen@complete.org>
Received: from pi.glockenspiel.complete.org [64.242.77.171] (postfix)
        by master.debian.org with esmtp (Exim 3.12 1 (Debian))
        id 15gq17-00012j-00; Tue, 11 Sep 2001 11:04:05 -0500
Received: from alexanderwohl.complete.org
(168-215-193-242.dslindiana.com [168.215.193.242])
        (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
        (Client CN "alexanderwohl.complete.org", Issuer CN "John Goerzen
-- Root CA" (verified OK))
        by pi.glockenspiel.complete.org (Postfix) with ESMTP
        id 2EF343B820; Tue, 11 Sep 2001 11:04:04 -0500 (EST)
Received: by alexanderwohl.complete.org (Postfix, from userid 1000)
        id 6B5797815; Tue, 11 Sep 2001 11:03:49 -0500 (EST)
To: submit@bugs.debian.org
Subject: [BORBELY Zoltan <bozo@andrews.hu>] Security problems with
 bulk_mailer 1.13
From: John Goerzen <jgoerzen@complete.org>
Date: Tue, 11 Sep 2001 11:03:49 -0500
Message-ID: <8766apg1ei.fsf@complete.org>
Lines: 138
User-Agent: Gnus/5.090004 (Oort Gnus v0.04) XEmacs/21.4 (Artificial
 Intelligence)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Delivered-To: submit@bugs.debian.org

--=-=-=

Package: bulkmailer


--=-=-=
Content-Type: message/rfc822
Content-Disposition: inline

X-Addr-Extension: 
Return-Path: <bozo@andrews.hu>
Delivered-To: jgoerzen@complete.org
Received: from legba.tvnet.hu (legba.tvnet.hu [195.38.96.20])
        by pi.glockenspiel.complete.org (Postfix) with ESMTP id
3D9863B811
        for <jgoerzen@complete.org>; Thu,  6 Sep 2001 07:35:41 -0500
(EST)
Received: from dolphin.home (dragon.satimex.tvnet.hu [195.38.110.227])
        by legba.tvnet.hu (8.9.3+Sun/8.9.3) with ESMTP id OAA05690;
        Thu, 6 Sep 2001 14:35:24 +0200 (MEST)
Received: (from bozo@localhost)
        by dolphin.home (8.11.0/8.11.0) id f86CZM002827;
        Thu, 6 Sep 2001 14:35:22 +0200
Date: Thu, 6 Sep 2001 14:35:22 +0200
From: BORBELY Zoltan <bozo@andrews.hu>
To: Keith Moore <moore@cs.utk.edu>
Cc: John Goerzen <jgoerzen@complete.org>
Subject: Security problems with bulk_mailer 1.13
Message-ID: <20010906143522.A2815@dolphin.home>
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===-=-="

--===-=-=
Content-Disposition: inline

Hello,

During a routine audit I've found some security hole in the bulk_mailer
1.13. The attached patch will eliminate these problems.

Hunk#1:
an off by one error during \ handling (line 422, 452, 471)

Hunk#2:
a buffer overflow when appending the local domain

Hunk#3:
ok, it isn't a serious problem, just a little paranoia. you can drop it
if
you wish :-)

Hunk#4:
another little paranoid corrections, reject it if you wish :-)

Hunk#5 & Hunk#6:
the original version contains a tmp race, this is a real serious
problem.


TIA,
Zoltan BORBELY

--===-=-=
Content-Disposition: attachment;
  filename=bulk_mailer-1.13-security.patch

diff -r -u bulk_mailer-1.13-orig/bulk_mailer.c
bulk_mailer-1.13-ok/bulk_mailer.c
--- bulk_mailer-1.13-orig/bulk_mailer.c Wed May 24 21:34:33 2000
+++ bulk_mailer-1.13-ok/bulk_mailer.c   Thu Sep  6 14:12:51 2001
@@ -399,7 +399,7 @@
     s = buf;
     d = result;
     while (*s) {
-       if (d >= result+sizeof(result)-1) {
+       if (d >= result+sizeof(result)-2) {
            fprintf (stderr, "prefrobnicate: line too long \"%s\"\n",
buf);
            return "";
        }
@@ -516,6 +516,10 @@
     if ((at = strrchr (buf, '@')) == NULL) {
        if (local_domain) {
            at = buf + strlen (buf);
+           if ( at-buf+1+strlen (local_domain)+1 >= 1024 ) {
+               discard (buf, "address too long to append
local_domain");
+               return;
+           }
            *at++ = '@';
            (void) strcpy (at--, local_domain);
        }
@@ -576,7 +580,7 @@
     if (debug_flag)
        fp = stderr;
     else {
-       sprintf (command_buf, PIPECOMMAND, sendmail_flags);
+       snprintf (command_buf, sizeof(command_buf), PIPECOMMAND,
sendmail_flags);
 
        if ((fp = popen (command_buf, "w")) == NULL) {
            fprintf (stderr, "can't open pipe to sendmail: %s\n",
@@ -1284,13 +1288,13 @@
 
            if (hp) {
                if (strchr (hp->h_name, '.')) {
-                   strcpy (buf, hp->h_name);
+                   snprintf (buf, sizeof(buf), "%s", hp->h_name);
                    return buf;
                }
                else {
                    for (i = 0; hp->h_addr_list[i]; ++i) {
                        if (strchr (hp->h_addr_list[i], '.')) {
-                           strcpy (buf, hp->h_addr_list[i]);
+                           snprintf (buf, sizeof(buf), "%s",
hp->h_addr_list[i]);
                            return buf;
                        }
                    }
@@ -1331,6 +1335,7 @@
     FILE *tmp;
     static char template[] = "/tmp/blkXXXXXX";
     char *tempname;
+    int tmpfd;
     int c;
     char buf[1024];
 
@@ -1513,8 +1518,12 @@
        exit (EX_OSFILE);
     }
 
-    tempname = mktemp (template);
-    tmp = fopen (template, "w");
+    if ( (tmpfd = mkstemp (template)) < 0 || (tmp = fdopen (tmpfd,
"w")) == NULL ) {
+       fprintf (stderr, "bulk_mailer: error creating temp file:\n");
+       fprintf (stderr, "%s\n", strerror (errno));
+       exit (EX_TEMPFAIL);
+    }
+    tempname = template;
     switch (copy_message (tmp, stdin)) {
 
     case HAS_EMBEDDED_COMMAND:
diff -r -u bulk_mailer-1.13-orig/configure.in
bulk_mailer-1.13-ok/configure.in
--- bulk_mailer-1.13-orig/configure.in  Wed Jan 21 16:41:47 1998
+++ bulk_mailer-1.13-ok/configure.in    Thu Sep  6 13:34:45 2001
@@ -15,6 +15,6 @@
 AC_STRUCT_TM
 
 dnl Checks for library functions.
-AC_CHECK_FUNCS(gethostname strdup strerror)
+AC_CHECK_FUNCS(gethostname strdup strerror snprintf mkstemp)
 
 AC_OUTPUT(Makefile)

--===-=-=--

--=-=-=



-- 
John Goerzen <jgoerzen@complete.org>    GPG: 0x8A1D9A1F   
www.complete.org

--=-=-=--


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC