Re: Multiply bugs in MH-6.8.3 (Mail Handler program)

nolander@NOLANDER.PP.SE
Mon, 28 Jul 1997 21:47:27 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Robert Watson: "Re: BIND Nuking"
Previous message: David Sacerdote: "Re: mSQL vulnerabilities"
Maybe in reply to: Matt Conover: "Multiply bugs in MH-6.8.3 (Mail Handler program)"
Next in thread: Alan Cox: "Re: Multiply bugs in MH-6.8.3 (Mail Handler program)"

> Okay there is an overflow in MH-6.8.3, which is suid, which I THINK (not
> sure), is installed, at least in Redhat 4.1+, by default (I think this

> char *hdir, buf[BUFSIZ], *tmp;
> purposes if you try to
> overflow this...just use a size
> of 9999, just to see if it
> segfaults.
>
> hdir = getenv("HOME");
> if (hdir == NULL)
> hdir = ".";
> (void) sprintf(buf, "%s/.netrc", hdir);

All this was in ruserpass.c...

ruserpass(host,&user,&pass); is found in msgchk.c, in checkremote() or
something like that... meaning that the host aren't vulnerable if not
configured.. this is from a system where mh was installed w/o being
configured (default)

[nolander@sangis nolander]$ /usr/bin/mh/msgchk -host muroff
msgchk: no servers available

check mana mh-tailor for more info about this server stuff :)

Next message: Robert Watson: "Re: BIND Nuking"
Previous message: David Sacerdote: "Re: mSQL vulnerabilities"
Maybe in reply to: Matt Conover: "Multiply bugs in MH-6.8.3 (Mail Handler program)"
Next in thread: Alan Cox: "Re: Multiply bugs in MH-6.8.3 (Mail Handler program)"