Date: 13 January 1998
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-98.004 -- KSR[T] Advisory #006
Buffer overflow in the deliver program
13 January 1998
===========================================================================
KSR[T] has released the following advisory concerning a buffer overflow
vulnerability in the deliver program under Debian and Slackware Linux.
This vulnerability may allow local users to gain root access.
This bulletin contains a source code patch. Our PGP signing of this
bulletin is likely to prevent the installation of the included patch.
The PGP package can restore the patch to its original installable state.
If you are unable to do this, you should download the canonical version
from the KSR[T] website and attempt to install that version.
The following security bulletin is provided as a service to AUSCERT's
members. As AUSCERT did not write this document, AUSCERT has had no
control over its content. As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It will
not be updated when the original bulletin is. If downloading at a later
date, it is recommended that the bulletin is retrieved from the original
authors to ensure that the information is still current.
Contact information for KSR[T] is included in the Security Bulletin
below. If you have any questions or need further information, please
contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
Internet Email: auscert@auscert.org.au
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Facsimile: (07) 3365 7031
- - --------------------------BEGIN INCLUDED TEXT--------------------
- - -----
KSR[T] Website : http://www.dec.net/ksrt
E-mail: ksrt@dec.net
- - -----
KSR[T] Advisory #006
Date: Jan 14, 1998
ID #: lin-dlvr-007
Operating System(s): Linux ( Debian 1.3.1, Slackware 2.x )
Affected Program: deliver
Problem Description: deliver ( version 2.0.12 and below ) is a program
that delivers mail once it has arrived at a given
system.
In the function copy_message(), there is a stack
overwrite that can allow local users execute arbitrary
code as root.
From copymsg.c:
int
copy_message()
{
char buf[BUFSIZ];
:
:
b = (fgets(buf, GETSIZE(buf), stdin) ? TRUE : FALSE);
:
from_line = copystr(buf);
:
:
(void) strcpy(from_line, buf);
(void) strcpy(buf, "Invalid-UUCP-From: ");
(void) strcat(buf, from_line);
If, in the above, buf contains size BUFSIZ amount
of data, we can overwrite 19 bytes ( the size of
"Invalid-UUCP-From: " ) past buf. Unfortunately, that
is enough to overwrite the return stack frame.
Compromise: Users with an account on the machine can gain
root access. Under certain situations this might
be exploitable remotely.
Patch/Fix:
- - ----------------
For Debian users
- - ----------------
Please find the appropriate packages at these places:
For the stable release
ftp://ftp.debian.org/debian/bo-updates/deliver_2.1.13-0_i386.deb
until it's merged into the stable release, "-updates" have to be
left out then.
Until the file has been merged it can be grabbed from a mirror of the
incoming directory, e.g. at
ftp://llug.sep.bnl.gov/pub/debian/Incoming/deliver_2.1.13-0_i386.deb
For the unstable release:
ftp://ftp.debian.org/debian/hamm/hamm/binary-<arch>/mail/deliver_2.1.13-1_i386.deb
Where <arch> is one of i386, m68k, powerpc, sparc or alpha.
Until the file has been merged it can be grabbed from a mirror of the
incoming directory, e.g. at
ftp://llug.sep.bnl.gov/pub/debian/Incoming/deliver_2.1.13-1_i386.deb
- - ------------
Source Patch
- - ------------
- - -*- begin deliver patch -*-
diff -u deliver/copymsg.c deliver.new/copymsg.c
- - --- deliver/copymsg.c Mon Dec 7 14:48:44 1992
+++ deliver.new/copymsg.c Tue Dec 9 02:13:53 1997
@@ -36,6 +36,8 @@
#define ISFROM(p) ((p)[0] == 'F' && (p)[1] == 'r' && (p)[2] == 'o'
&& (p)[3] == 'm' && (p)[4] == ' ')
+#define INVUUCP "Invalid-UUCP-From: "
+
/*----------------------------------------------------------------------
* Copy the message on the standard input to two temp files:
* one for the header and one for the body.
@@ -162,8 +164,9 @@
/* Print invalid From_ line in a harmless way. */
(void) strcpy(from_line, buf);
- - - (void) strcpy(buf, "Invalid-UUCP-From: ");
- - - (void) strcat(buf, from_line);
+ (void) strcpy(buf, INVUUCP);
+ (void) strncat(buf, from_line, BUFSIZ - strlen(INVUUCP));
+ buf[BUFSIZ-1] = '�';
b = TRUE;
}
}
Common subdirectories: deliver/samples and deliver.new/samples
diff -u deliver/unctime.y deliver.new/unctime.y
- - --- deliver/unctime.y Mon Dec 7 14:48:56 1992
+++ deliver.new/unctime.y Tue Dec 9 02:49:34 1997
@@ -232,7 +232,7 @@
yylex()
{
register i;
- - - char token[40]; /* Probably paranoid. */
+ char token[BUFSIZ]; /* Probably paranoid. */
for (;;)
{
@@ -243,7 +243,7 @@
else if (isascii(*lexptr) && isalpha(*lexptr))
{
i = 0;
- - - while (isascii(*lexptr) && isalpha(*lexptr))
+ while (isascii(*lexptr) && isalpha(*lexptr) && i < BUFSIZ)
token[i++] = *lexptr++;
token[i] = '�';
for (i = 0; months[i]; i++)
@@ -287,7 +287,7 @@
else if (isascii(*lexptr) && isdigit(*lexptr))
{
i = 0;
- - - while (isascii(*lexptr) && isdigit(*lexptr))
+ while (isascii(*lexptr) && isdigit(*lexptr) && i < BUFSIZ )
token[i++] = *lexptr++;
token[i] = '�';
yylval = atoi(token);
- - -*- end deliver patch -*-
- - --------------------------END INCLUDED TEXT--------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNMXnvyh9+71yA2DNAQHhuwP/Y9ma0IykKS+mxNKWq5IawqnkhJj82vA1
qG0v9adx4pAzk3WablFJK1fh3q+DZaDC4zFT7kJ+AKr1OX5NzCk41yuTKBaKxFIA
1f4ersD1hot1q9F/sfTY52S9gskslM1V9LeDd1RYXVIThUUTej52QLoXF1Imzv9F
+28l7QHlGMQ=
=IwRC
-----END PGP SIGNATURE-----
|