HP-UX 11 elm -s Vulnerability allows local account compromise
12 Mar. 2001
Summary
HP-UX 11.00 ships with a vulnerable version of the elm MUA, it contains a buffer overflow vulnerability in the -s (subject) argument. This enables local attackers to execute code with the privileges of the mail user.
Note that all systems with the vulnerable version of elm are affected, not just HP-UX.
Credit:
The information has been provided by Flatline.
while ((c = getopt(argc, argv, "?acd:f:hi:kKms:tVvz")) != EOF) {
switch (c) {
case 'a' : arrow_cursor++; break;
case 'c' : check_only++; use_tite = 0; break;
case 'd' : debug = atoi(optarg); break; case 'f' : strcpy(req_mfile, optarg); break;
case '?' :
case 'h' : args_help(); case 'i' : strcpy(included_file, optarg); break;
case 'k' : hp_terminal++; break;
case 'K' : hp_terminal++; hp_softkeys++; break;
case 'm' : mini_menu = 0; break; case 's' : strcpy(batch_subject, optarg); break;
case 't' : use_tite = 0; break;
case 'V' : sendmail_verbose++; break;
case 'v' : args_version();
case 'z' : check_size++; break;
}
}
All vulnerable strcpy() statements copy a user supplied string into a buffer of SLEN (256) bytes.
Feeding the argument a string of more than 256 characters in length will crash it.
hdrs/defs.h:#define SLEN 256 /* long for ensuring no overwrites... */
It's interesting to see that the author thought his buffers were safe by using a seemingly large buffer length.
