X-RDate: Mon, 26 Jan 1998 10:25:17 +0500 (ESK)
Date: Mon, 12 Jan 1998 08:48:26 -0800
From: KSR[T] <ksrt@DEC.NET>
To: best-of-security@cyber.com.au
Subject: BoS: KSR[T] Advisory #6: deliver
-----
KSR[T] Website : http://www.dec.net/ksrt
E-mail: ksrt@dec.net
-----
KSR[T] Advisory #006
Date: Jan 14, 1998
ID #: lin-dlvr-007
Operating System(s): Linux ( Debian 1.3.1, Slackware 2.x )
Affected Program: deliver
Problem Description: deliver ( version 2.0.12 and below ) is a program
that delivers mail once it has arrived at a given
system.
In the function copy_message(), there is a stack
overwrite that can allow local users execute arbitrary
code as root.
From copymsg.c:
int
copy_message()
{
char buf[BUFSIZ];
:
:
b = (fgets(buf, GETSIZE(buf), stdin) ? TRUE : FALSE);
:
from_line = copystr(buf);
:
:
(void) strcpy(from_line, buf);
(void) strcpy(buf, "Invalid-UUCP-From: ");
(void) strcat(buf, from_line);
If, in the above, buf contains size BUFSIZ amount
of data, we can overwrite 19 bytes ( the size of
"Invalid-UUCP-From: " ) past buf. Unfortunately, that
is enough to overwrite the return stack frame.
Compromise: Users with an account on the machine can gain
root access. Under certain situations this might
be exploitable remotely.
Patch/Fix:
----------------
For Debian users
----------------
Please find the appropriate packages at these places:
For the stable release
ftp://ftp.debian.org/debian/bo-updates/deliver_2.1.13-0_i386.deb
until it's merged into the stable release, "-updates" have to be
left out then.
Until the file has been merged it can be grabbed from a mirror of the
incoming directory, e.g. at
ftp://llug.sep.bnl.gov/pub/debian/Incoming/deliver_2.1.13-0_i386.deb
For the unstable release:
ftp://ftp.debian.org/debian/hamm/hamm/binary-<;arch>/mail/deliver_2.1.13-1_i386.deb
Where <arch> is one of i386, m68k, powerpc, sparc or alpha.
Until the file has been merged it can be grabbed from a mirror of the
incoming directory, e.g. at
ftp://llug.sep.bnl.gov/pub/debian/Incoming/deliver_2.1.13-1_i386.deb
------------
Source Patch
------------
-*- begin deliver patch -*-
diff -u deliver/copymsg.c deliver.new/copymsg.c
--- deliver/copymsg.c Mon Dec 7 14:48:44 1992
+++ deliver.new/copymsg.c Tue Dec 9 02:13:53 1997
@@ -36,6 +36,8 @@
#define ISFROM(p) ((p)[0] == 'F' && (p)[1] == 'r' && (p)[2] == 'o' \
&& (p)[3] == 'm' && (p)[4] == ' ')
+#define INVUUCP "Invalid-UUCP-From: "
+
/*----------------------------------------------------------------------
* Copy the message on the standard input to two temp files:
* one for the header and one for the body.
@@ -162,8 +164,9 @@
/* Print invalid From_ line in a harmless way. */
(void) strcpy(from_line, buf);
- (void) strcpy(buf, "Invalid-UUCP-From: ");
- (void) strcat(buf, from_line);
+ (void) strcpy(buf, INVUUCP);
+ (void) strncat(buf, from_line, BUFSIZ - strlen(INVUUCP));
+ buf[BUFSIZ-1] = '\0';
b = TRUE;
}
}
Common subdirectories: deliver/samples and deliver.new/samples
diff -u deliver/unctime.y deliver.new/unctime.y
--- deliver/unctime.y Mon Dec 7 14:48:56 1992
+++ deliver.new/unctime.y Tue Dec 9 02:49:34 1997
@@ -232,7 +232,7 @@
yylex()
{
register i;
- char token[40]; /* Probably paranoid. */
+ char token[BUFSIZ]; /* Probably paranoid. */
for (;;)
{
@@ -243,7 +243,7 @@
else if (isascii(*lexptr) && isalpha(*lexptr))
{
i = 0;
- while (isascii(*lexptr) && isalpha(*lexptr))
+ while (isascii(*lexptr) && isalpha(*lexptr) && i < BUFSIZ)
token[i++] = *lexptr++;
token[i] = '\0';
for (i = 0; months[i]; i++)
@@ -287,7 +287,7 @@
else if (isascii(*lexptr) && isdigit(*lexptr))
{
i = 0;
- while (isascii(*lexptr) && isdigit(*lexptr))
+ while (isascii(*lexptr) && isdigit(*lexptr) && i < BUFSIZ )
token[i++] = *lexptr++;
token[i] = '\0';
yylval = atoi(token);
-*- end deliver patch -*-
Date: Mon, 12 Jan 1998 13:46:07 -0500
Reply-To: chip@pobox.com
Sender: avalon
>From: Chip Salzenberg <chip@ATLANTIC.NET>
Subject: Re: KSR[T] Advisory #6: deliver
X-To: ksrt@DEC.NET
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.95.980112084724.18693B-100000@ogbanje.dec.net> from
"KSR[T]" at "Jan 12, 98 08:48:26 am"
Approved: darrenr@cyber.com.au
X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
X-Originated-From: From: "KSR[T]" <ksrt@DEC.NET>
KSR's proposed patch to Deliver has a bug:
According to KSR[T]:
> + char token[BUFSIZ]; /* Probably paranoid. */
>
> + while (isascii(*lexptr) && isalpha(*lexptr) && i < BUFSIZ)
> token[i++] = *lexptr++;
> token[i] = '\0';
Buffer overrun is possible here.
I suggest anyone who uses Deliver just get the current tarball:
http://www.pobox.com/~chip/deliver-2.1.13.tar.gz
--
Chip Salzenberg - a.k.a. - <chip@pobox.com>
"I stopped that bus and I saved them kids!" "All except one -- the one
you let drive!" "He showed me his license..." "He was seven!!!" // MST3K
