-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CMailServer 3.30 uses sprintf() without any previous bounds checking while testing for the presence of the passed USER argument's home directory within 'mail'.. sprintf(%s\\mail\\%s, CMail path ptr, USER arg ptr) you know how the story goes, we can overwrite some serious EIP action.. see attached exploit.. a patch has also been included to prevent ownaging 2c79cbe14ac7d0b8472d3f129fa1df55, the original pimp Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wnUEARECADUFAjzqwbEuHDJjNzljYmUxNGFjN2QwYjg0NzJkM2YxMjlmYTFkZjU1QGh1 c2htYWlsLmNvbQAKCRA2dKC3iMz7vVEnAJ4ojhjPxcBQ2BZGJUExzUgXxz8qMACeNX1n J1JwD3rVhGZwCz3ESUT+B2g= =Xrhy -----END PGP SIGNATURE-----
Attachment:
cmeexp.c
Description: Binary data
-----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wj8DBQA86sFONnSgt4jM+70RAjApAKC/+Xcx6f780qvpgPc2qty/316WWgCgoLfK8wm2 lunMISZNYrnJEZoCgPY= =/eXE -----END PGP SIGNATURE-----
Attachment:
cmepatch.c
Description: Binary data
-----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wj8DBQA86sFUNnSgt4jM+70RAkFsAJ9txRRfyDdhIRyRhjWIjRwdhanlaACgrZY2XV6P /bVh+TohzIwGSxwkOsg= =zOhP -----END PGP SIGNATURE-----
