KSR[T] Advisory #6: deliver

KSR[T] (ksrt@DEC.NET)
Mon, 12 Jan 1998 08:48:26 -0800

-----
KSR[T] Website : http://www.dec.net/ksrt
E-mail: ksrt@dec.net
-----

KSR[T] Advisory #006
Date: Jan 14, 1998
ID #: lin-dlvr-007

Operating System(s): Linux ( Debian 1.3.1, Slackware 2.x )

Affected Program: deliver

Problem Description: deliver ( version 2.0.12 and below ) is a program
that delivers mail once it has arrived at a given
system.

In the function copy_message(), there is a stack
overwrite that can allow local users execute arbitrary
code as root.

From copymsg.c:

int
copy_message()
{
char buf[BUFSIZ];
:
:
b = (fgets(buf, GETSIZE(buf), stdin) ? TRUE : FALSE);
:
from_line = copystr(buf);
:
:
(void) strcpy(from_line, buf);
(void) strcpy(buf, "Invalid-UUCP-From: ");
(void) strcat(buf, from_line);

If, in the above, buf contains size BUFSIZ amount
of data, we can overwrite 19 bytes ( the size of
"Invalid-UUCP-From: " ) past buf. Unfortunately, that
is enough to overwrite the return stack frame.

Compromise: Users with an account on the machine can gain
root access. Under certain situations this might
be exploitable remotely.

Patch/Fix:

----------------
For Debian users
----------------

Please find the appropriate packages at these places:

For the stable release

ftp://ftp.debian.org/debian/bo-updates/deliver_2.1.13-0_i386.deb
until it's merged into the stable release, "-updates" have to be
left out then.

Until the file has been merged it can be grabbed from a mirror of the
incoming directory, e.g. at

ftp://llug.sep.bnl.gov/pub/debian/Incoming/deliver_2.1.13-0_i386.deb

For the unstable release:

ftp://ftp.debian.org/debian/hamm/hamm/binary-<arch>/mail/deliver_2.1.13-1_i386.deb

Where <arch> is one of i386, m68k, powerpc, sparc or alpha.

Until the file has been merged it can be grabbed from a mirror of the
incoming directory, e.g. at

ftp://llug.sep.bnl.gov/pub/debian/Incoming/deliver_2.1.13-1_i386.deb

------------
Source Patch
------------

-*- begin deliver patch -*-
diff -u deliver/copymsg.c deliver.new/copymsg.c
--- deliver/copymsg.c Mon Dec 7 14:48:44 1992
+++ deliver.new/copymsg.c Tue Dec 9 02:13:53 1997
@@ -36,6 +36,8 @@
#define ISFROM(p) ((p)[0] == 'F' && (p)[1] == 'r' && (p)[2] == 'o' \
&& (p)[3] == 'm' && (p)[4] == ' ')

+#define INVUUCP "Invalid-UUCP-From: "
+
/*----------------------------------------------------------------------
* Copy the message on the standard input to two temp files:
* one for the header and one for the body.
@@ -162,8 +164,9 @@
/* Print invalid From_ line in a harmless way. */

(void) strcpy(from_line, buf);
- (void) strcpy(buf, "Invalid-UUCP-From: ");
- (void) strcat(buf, from_line);
+ (void) strcpy(buf, INVUUCP);
+ (void) strncat(buf, from_line, BUFSIZ - strlen(INVUUCP));
+ buf[BUFSIZ-1] = '\0';
b = TRUE;
}
}
Common subdirectories: deliver/samples and deliver.new/samples
diff -u deliver/unctime.y deliver.new/unctime.y
--- deliver/unctime.y Mon Dec 7 14:48:56 1992
+++ deliver.new/unctime.y Tue Dec 9 02:49:34 1997
@@ -232,7 +232,7 @@
yylex()
{
register i;
- char token[40]; /* Probably paranoid. */
+ char token[BUFSIZ]; /* Probably paranoid. */

for (;;)
{
@@ -243,7 +243,7 @@
else if (isascii(*lexptr) && isalpha(*lexptr))
{
i = 0;
- while (isascii(*lexptr) && isalpha(*lexptr))
+ while (isascii(*lexptr) && isalpha(*lexptr) && i < BUFSIZ)
token[i++] = *lexptr++;
token[i] = '\0';
for (i = 0; months[i]; i++)
@@ -287,7 +287,7 @@
else if (isascii(*lexptr) && isdigit(*lexptr))
{
i = 0;
- while (isascii(*lexptr) && isdigit(*lexptr))
+ while (isascii(*lexptr) && isdigit(*lexptr) && i < BUFSIZ )
token[i++] = *lexptr++;
token[i] = '\0';
yylval = atoi(token);
-*- end deliver patch -*-