|
Buffer Overflow in Elm (Expires header) |
|
|
|
|
Wednesday, 24 August 2005 |
Summary
"Elm is an interactive screen-oriented mailer program that supersedes mail and mailx."
Lack of proper length checking allow attacker to execute code wit Elm by crafting special email.
Credit:
The information has been provided by Ulf Harnhammar .
Details
Vulnerable Systems:
* Elm version 2.5 PL5
* Elm version 2.5 PL6
* Elm version 2.5 PL7
Immune Systems:
* Elm version 2.5 PL8
* Elm version ME+
An attacker can craft a special email and sent it to a user that uses Elm.
The overflow is stack-based, and it gives full control over EIP, EBP and EBX. It is caused by a bad sscanf(3) call, using a format string containing "%s" to copy from a long char array to a shorter array.
Proof of Concept:
From: metaur@localhost
To: metaur@localhost
Subject: Elm buffer overflow
Expires: UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU 2 3 4 5
Elm buffer overflow
Patch:
--- src/expires.c.old 1995-09-29 18:42:07.000000000 +0100
+++ src/expires.c 2005-08-17 22:57:22.364932072 +0200
@@ -44,7 +44,7 @@ int *message_status;
{
struct tm *timestruct;
time_t thetime;
- char word1[WLEN], word2[WLEN], word3[WLEN], word4[WLEN], word5[WLEN];
+ char word1[WLEN], word2[WLEN], word3[WLEN], word4[WLEN], word5[WLEN], formbuf[64];
int month = 0, day = 0, year = 0, hour = 0, minute = 0, items;
#ifndef _POSIX_SOURCE
struct tm *localtime();
@@ -69,7 +69,8 @@ int *message_status;
so is the first field the month or the day? Standard prob.
**/
- items = sscanf(date, "%s %s %s %s %s",
+ sprintf(formbuf, "%%%ds %%%ds %%%ds %%%ds %%%ds", WLEN-1, WLEN-1, WLEN-1, WLEN-1, WLEN-1);
+ items = sscanf(date, formbuf,
word1, word2, word3, word4, word5);
if (items < 5)
|