Operating System:

Published:

12 January 1998

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----


===========================================================================
             AUSCERT External Security Bulletin Redistribution
                                      
                                      
                     ESB-98.004 -- KSR[T] Advisory #006
                   Buffer overflow in the deliver program
                              13 January 1998

===========================================================================

KSR[T] has released the following advisory concerning a buffer overflow
vulnerability in the deliver program under Debian and Slackware Linux.
This vulnerability may allow local users to gain root access.

This bulletin contains a source code patch.  Our PGP signing of this
bulletin is likely to prevent the installation of the included patch.
The PGP package can restore the patch to its original installable state.
If you are unable to do this, you should download the canonical version
from the KSR[T] website and attempt to install that version.

The following security bulletin is provided as a service to AUSCERT's
members.  As AUSCERT did not write this document, AUSCERT has had no
control over its content.  As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It will
not be updated when the original bulletin is.  If downloading at a later
date, it is recommended that the bulletin is retrieved from the original
authors to ensure that the information is still current.

Contact information for KSR[T] is included in the Security Bulletin
below.  If you have any questions or need further information, please
contact them directly. 

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email: auscert@auscert.org.au
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AUSCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for emergencies.
Facsimile:      (07) 3365 7031


- - --------------------------BEGIN INCLUDED TEXT--------------------

- - -----                                                     
KSR[T] Website : http://www.dec.net/ksrt
E-mail: ksrt@dec.net                                      
- - -----                

                                                       KSR[T] Advisory #006
                                                       Date:   Jan 14, 1998
                                                       ID #:   lin-dlvr-007 

Operating System(s): Linux ( Debian 1.3.1, Slackware 2.x )

Affected Program:    deliver

Problem Description: deliver ( version 2.0.12 and below ) is a program 
                     that delivers mail once it has arrived at a given
                     system. 

                     In the function copy_message(), there is a stack  
                     overwrite that can allow local users execute arbitrary 
                     code as root.  
                     
                     From copymsg.c:

                     int
                     copy_message()
                     {
                     char    buf[BUFSIZ];
                           :
                           :
                     b = (fgets(buf, GETSIZE(buf), stdin) ? TRUE : FALSE);
                           :
                     from_line = copystr(buf);
                           :
                           :
                     (void) strcpy(from_line, buf);
                     (void) strcpy(buf, "Invalid-UUCP-From: ");
                     (void) strcat(buf, from_line);

                     If, in the above, buf contains size BUFSIZ amount
                     of data, we can overwrite 19 bytes ( the size of
                     "Invalid-UUCP-From: " ) past buf.  Unfortunately, that 
                     is enough to overwrite the return stack frame.
                   

Compromise:          Users with an account on the machine can gain 
                     root access.  Under certain situations this might
                     be exploitable remotely.

Patch/Fix:

- - ----------------
For Debian users
- - ----------------

Please find the appropriate packages at these places:

For the stable release

   ftp://ftp.debian.org/debian/bo-updates/deliver_2.1.13-0_i386.deb
   until it's merged into the stable release, "-updates" have to be
   left out then.

   Until the file has been merged it can be grabbed from a mirror of the
   incoming directory, e.g. at

   ftp://llug.sep.bnl.gov/pub/debian/Incoming/deliver_2.1.13-0_i386.deb

For the unstable release:

   ftp://ftp.debian.org/debian/hamm/hamm/binary-<arch>/mail/deliver_2.1.13-1_i386.deb

   Where <arch> is one of i386, m68k, powerpc, sparc or alpha.

   Until the file has been merged it can be grabbed from a mirror of the
   incoming directory, e.g. at

   ftp://llug.sep.bnl.gov/pub/debian/Incoming/deliver_2.1.13-1_i386.deb

- - ------------
Source Patch
- - ------------

- - -*- begin deliver patch -*-
diff -u deliver/copymsg.c deliver.new/copymsg.c
- - --- deliver/copymsg.c	Mon Dec  7 14:48:44 1992
+++ deliver.new/copymsg.c	Tue Dec  9 02:13:53 1997
@@ -36,6 +36,8 @@
 #define ISFROM(p) ((p)[0] == 'F' && (p)[1] == 'r' && (p)[2] == 'o' 
 		&& (p)[3] == 'm' && (p)[4] == ' ')
 
+#define INVUUCP   "Invalid-UUCP-From: "
+
 /*----------------------------------------------------------------------
  * Copy the message on the standard input to two temp files:
  * one for the header and one for the body.
@@ -162,8 +164,9 @@
 			/* Print invalid From_ line in a harmless way. */
 
 			(void) strcpy(from_line, buf);
- - -			(void) strcpy(buf, "Invalid-UUCP-From: ");
- - -			(void) strcat(buf, from_line);
+			(void) strcpy(buf, INVUUCP);
+			(void) strncat(buf, from_line, BUFSIZ - strlen(INVUUCP));
+                       buf[BUFSIZ-1] = '';
 			b = TRUE;
 		}
 	}
Common subdirectories: deliver/samples and deliver.new/samples
diff -u deliver/unctime.y deliver.new/unctime.y
- - --- deliver/unctime.y	Mon Dec  7 14:48:56 1992
+++ deliver.new/unctime.y	Tue Dec  9 02:49:34 1997
@@ -232,7 +232,7 @@
 yylex()
 {
   register i;
- - -  char token[40];	/* Probably paranoid. */
+  char token[BUFSIZ];	/* Probably paranoid. */
   
   for (;;)
     {
@@ -243,7 +243,7 @@
       else if (isascii(*lexptr) && isalpha(*lexptr))
 	{
 	  i = 0;
- - -	  while (isascii(*lexptr) && isalpha(*lexptr))
+	  while (isascii(*lexptr) && isalpha(*lexptr) && i < BUFSIZ)
 	    token[i++] = *lexptr++;
 	  token[i] = '';
 	  for (i = 0; months[i]; i++)
@@ -287,7 +287,7 @@
       else if (isascii(*lexptr) && isdigit(*lexptr))
 	{
 	  i = 0;
- - -	  while (isascii(*lexptr) && isdigit(*lexptr))
+	  while (isascii(*lexptr) && isdigit(*lexptr) && i < BUFSIZ )
 	    token[i++] = *lexptr++;
 	  token[i] = '';
 	  yylval = atoi(token);
- - -*- end deliver patch -*-

- - --------------------------END INCLUDED TEXT--------------------


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBNMXnvyh9+71yA2DNAQHhuwP/Y9ma0IykKS+mxNKWq5IawqnkhJj82vA1
qG0v9adx4pAzk3WablFJK1fh3q+DZaDC4zFT7kJ+AKr1OX5NzCk41yuTKBaKxFIA
1f4ersD1hot1q9F/sfTY52S9gskslM1V9LeDd1RYXVIThUUTej52QLoXF1Imzv9F
+28l7QHlGMQ=
=IwRC
-----END PGP SIGNATURE-----