ELM NLSPATH overflow

Description:Elm , which is often setgid mail, has a buffer overflow with the NLSPATH variable. This is NOT the same as the libc NLSPATH bug.
Author:"Dmitry E. Kim" <jason@REDLINE.RU>
Compromise:GID mail (local)
Vulnerable Systems:Linux with vulnerable setGID mail ELM
Date:26 March 1997
Notes:Joining group mail *CAN* be very helpful to hackers, some linux boxes allow you to write to mail spool and read other people's mail if you achieve this. Also, if anyone has a working exploit please mail it this way, I don't feel like writing & testing right now.

Date: Wed, 26 Mar 1997 21:02:48 +0400
From: "Dmitry E. Kim" 
Subject: minor vulnerability in ELM

        hi ppl,

  It's just an echo of old plain NLSPATH story -- I'm not even sure
it should be posted here, but still: in some distributions ELM is
installed setgid 'mail' (for unknown reason) -- for example, in Linux
(Slackware 3.1 and 3.2-beta) and (at least some distributions of) Solaris.
It is very easy to force stack overflow in ELM, using environment variable
NLSPATH (that is NOT the same bug as with linux libc.so.5.3.12 -- ELM in the
mentioned distributions is dynamically linked, but is exploitable when 
with libc.so.5.4.10 at least).

  Impact: any user with access to ELM can gain group 'mail' access rights.
Speaking theoretically, it is a Bad Thing, but seems like there's absolutely
no practical harm from it. Though probably there is some in certain OSes?
I didn't look carefully through Solaris, for example.

  Exploit: standard stack overflow exploit. It is not quoted here because
it is very trivial and boring :).

  Solution: why would ELM actually need setgid priviledges? In FreeBSD ELM
lives well without any set[ug]id.

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: