Buffer overflow in the 'deliver' mail delivery program

Summary
Description:standard overflow
Author:"KSR[T]" <ksrt@DEC.NET>
Compromise: root (local)
Vulnerable Systems:Slackware 2.x, Debian 1.3.1, possibly other Linux distributions. Basically anything running deliver version 2.0.12 and below.
Date:12 January 1998
Details


Date: Mon, 12 Jan 1998 08:48:26 -0800
From: "KSR[T]" <ksrt@DEC.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: KSR[T] Advisory #6: deliver

-----
KSR[T] Website : http://www.dec.net/ksrt
E-mail: ksrt@dec.net
-----

                                                       KSR[T] Advisory #006
                                                       Date:   Jan 14, 1998
                                                       ID #:   lin-dlvr-007

Operating System(s): Linux ( Debian 1.3.1, Slackware 2.x )

Affected Program:    deliver

Problem Description: deliver ( version 2.0.12 and below ) is a program
                     that delivers mail once it has arrived at a given
                     system.

                     In the function copy_message(), there is a stack
                     overwrite that can allow local users execute arbitrary
                     code as root.

                     From copymsg.c:

                     int
                     copy_message()
                     {
                     char    buf[BUFSIZ];
                           :
                           :
                     b = (fgets(buf, GETSIZE(buf), stdin) ? TRUE : FALSE);
                           :
                     from_line = copystr(buf);
                           :
                           :
                     (void) strcpy(from_line, buf);
                     (void) strcpy(buf, "Invalid-UUCP-From: ");
                     (void) strcat(buf, from_line);

                     If, in the above, buf contains size BUFSIZ amount
                     of data, we can overwrite 19 bytes ( the size of
                     "Invalid-UUCP-From: " ) past buf.  Unfortunately, that
                     is enough to overwrite the return stack frame.


Compromise:          Users with an account on the machine can gain
                     root access.  Under certain situations this might
                     be exploitable remotely.

Patch/Fix:

----------------
For Debian users
----------------

Please find the appropriate packages at these places:

For the stable release

   ftp://ftp.debian.org/debian/bo-updates/deliver_2.1.13-0_i386.deb
   until it's merged into the stable release, "-updates" have to be
   left out then.

   Until the file has been merged it can be grabbed from a mirror of the
   incoming directory, e.g. at

   ftp://llug.sep.bnl.gov/pub/debian/Incoming/deliver_2.1.13-0_i386.deb

For the unstable release:

   ftp://ftp.debian.org/debian/hamm/hamm/binary-<arch>/mail/deliver_2.1.13-1_i386.deb

   Where <arch> is one of i386, m68k, powerpc, sparc or alpha.

   Until the file has been merged it can be grabbed from a mirror of the
   incoming directory, e.g. at

   ftp://llug.sep.bnl.gov/pub/debian/Incoming/deliver_2.1.13-1_i386.deb

------------
Source Patch
------------

-*- begin deliver patch -*-
diff -u deliver/copymsg.c deliver.new/copymsg.c
--- deliver/copymsg.c   Mon Dec  7 14:48:44 1992
+++ deliver.new/copymsg.c       Tue Dec  9 02:13:53 1997
@@ -36,6 +36,8 @@
 #define ISFROM(p) ((p)[0] == 'F' && (p)[1] == 'r' && (p)[2] == 'o' \
                && (p)[3] == 'm' && (p)[4] == ' ')

+#define INVUUCP   "Invalid-UUCP-From: "
+
 /*----------------------------------------------------------------------
  * Copy the message on the standard input to two temp files:
  * one for the header and one for the body.
@@ -162,8 +164,9 @@
                        /* Print invalid From_ line in a harmless way. */

                        (void) strcpy(from_line, buf);
-                       (void) strcpy(buf, "Invalid-UUCP-From: ");
-                       (void) strcat(buf, from_line);
+                       (void) strcpy(buf, INVUUCP);
+                       (void) strncat(buf, from_line, BUFSIZ - strlen(INVUUCP));
+                       buf[BUFSIZ-1] = '\0';
                        b = TRUE;
                }
        }
Common subdirectories: deliver/samples and deliver.new/samples
diff -u deliver/unctime.y deliver.new/unctime.y
--- deliver/unctime.y   Mon Dec  7 14:48:56 1992
+++ deliver.new/unctime.y       Tue Dec  9 02:49:34 1997
@@ -232,7 +232,7 @@
 yylex()
 {
   register i;
-  char token[40];      /* Probably paranoid. */
+  char token[BUFSIZ];  /* Probably paranoid. */

   for (;;)
     {
@@ -243,7 +243,7 @@
       else if (isascii(*lexptr) && isalpha(*lexptr))
        {
          i = 0;
-         while (isascii(*lexptr) && isalpha(*lexptr))
+         while (isascii(*lexptr) && isalpha(*lexptr) && i < BUFSIZ)
            token[i++] = *lexptr++;
          token[i] = '\0';
          for (i = 0; months[i]; i++)
@@ -287,7 +287,7 @@
       else if (isascii(*lexptr) && isdigit(*lexptr))
        {
          i = 0;
-         while (isascii(*lexptr) && isdigit(*lexptr))
+         while (isascii(*lexptr) && isdigit(*lexptr) && i < BUFSIZ )
            token[i++] = *lexptr++;
          token[i] = '\0';
          yylval = atoi(token);
-*- end deliver patch -*-

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: