Published:
12 January 1998
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-98.004 -- KSR[T] Advisory #006 Buffer overflow in the deliver program 13 January 1998 =========================================================================== KSR[T] has released the following advisory concerning a buffer overflow vulnerability in the deliver program under Debian and Slackware Linux. This vulnerability may allow local users to gain root access. This bulletin contains a source code patch. Our PGP signing of this bulletin is likely to prevent the installation of the included patch. The PGP package can restore the patch to its original installable state. If you are unable to do this, you should download the canonical version from the KSR[T] website and attempt to install that version. The following security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write this document, AUSCERT has had no control over its content. As such, the decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It will not be updated when the original bulletin is. If downloading at a later date, it is recommended that the bulletin is retrieved from the original authors to ensure that the information is still current. Contact information for KSR[T] is included in the Security Bulletin below. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Facsimile: (07) 3365 7031 - - --------------------------BEGIN INCLUDED TEXT-------------------- - - ----- KSR[T] Website : http://www.dec.net/ksrt E-mail: ksrt@dec.net - - ----- KSR[T] Advisory #006 Date: Jan 14, 1998 ID #: lin-dlvr-007 Operating System(s): Linux ( Debian 1.3.1, Slackware 2.x ) Affected Program: deliver Problem Description: deliver ( version 2.0.12 and below ) is a program that delivers mail once it has arrived at a given system. In the function copy_message(), there is a stack overwrite that can allow local users execute arbitrary code as root. From copymsg.c: int copy_message() { char buf[BUFSIZ]; : : b = (fgets(buf, GETSIZE(buf), stdin) ? TRUE : FALSE); : from_line = copystr(buf); : : (void) strcpy(from_line, buf); (void) strcpy(buf, "Invalid-UUCP-From: "); (void) strcat(buf, from_line); If, in the above, buf contains size BUFSIZ amount of data, we can overwrite 19 bytes ( the size of "Invalid-UUCP-From: " ) past buf. Unfortunately, that is enough to overwrite the return stack frame. Compromise: Users with an account on the machine can gain root access. Under certain situations this might be exploitable remotely. Patch/Fix: - - ---------------- For Debian users - - ---------------- Please find the appropriate packages at these places: For the stable release ftp://ftp.debian.org/debian/bo-updates/deliver_2.1.13-0_i386.deb until it's merged into the stable release, "-updates" have to be left out then. Until the file has been merged it can be grabbed from a mirror of the incoming directory, e.g. at ftp://llug.sep.bnl.gov/pub/debian/Incoming/deliver_2.1.13-0_i386.deb For the unstable release: ftp://ftp.debian.org/debian/hamm/hamm/binary-<arch>/mail/deliver_2.1.13-1_i386.deb Where <arch> is one of i386, m68k, powerpc, sparc or alpha. Until the file has been merged it can be grabbed from a mirror of the incoming directory, e.g. at ftp://llug.sep.bnl.gov/pub/debian/Incoming/deliver_2.1.13-1_i386.deb - - ------------ Source Patch - - ------------ - - -*- begin deliver patch -*- diff -u deliver/copymsg.c deliver.new/copymsg.c - - --- deliver/copymsg.c Mon Dec 7 14:48:44 1992 +++ deliver.new/copymsg.c Tue Dec 9 02:13:53 1997 @@ -36,6 +36,8 @@ #define ISFROM(p) ((p)[0] == 'F' && (p)[1] == 'r' && (p)[2] == 'o' && (p)[3] == 'm' && (p)[4] == ' ') +#define INVUUCP "Invalid-UUCP-From: " + /*---------------------------------------------------------------------- * Copy the message on the standard input to two temp files: * one for the header and one for the body. @@ -162,8 +164,9 @@ /* Print invalid From_ line in a harmless way. */ (void) strcpy(from_line, buf); - - - (void) strcpy(buf, "Invalid-UUCP-From: "); - - - (void) strcat(buf, from_line); + (void) strcpy(buf, INVUUCP); + (void) strncat(buf, from_line, BUFSIZ - strlen(INVUUCP)); + buf[BUFSIZ-1] = ''; b = TRUE; } } Common subdirectories: deliver/samples and deliver.new/samples diff -u deliver/unctime.y deliver.new/unctime.y - - --- deliver/unctime.y Mon Dec 7 14:48:56 1992 +++ deliver.new/unctime.y Tue Dec 9 02:49:34 1997 @@ -232,7 +232,7 @@ yylex() { register i; - - - char token[40]; /* Probably paranoid. */ + char token[BUFSIZ]; /* Probably paranoid. */ for (;;) { @@ -243,7 +243,7 @@ else if (isascii(*lexptr) && isalpha(*lexptr)) { i = 0; - - - while (isascii(*lexptr) && isalpha(*lexptr)) + while (isascii(*lexptr) && isalpha(*lexptr) && i < BUFSIZ) token[i++] = *lexptr++; token[i] = ''; for (i = 0; months[i]; i++) @@ -287,7 +287,7 @@ else if (isascii(*lexptr) && isdigit(*lexptr)) { i = 0; - - - while (isascii(*lexptr) && isdigit(*lexptr)) + while (isascii(*lexptr) && isdigit(*lexptr) && i < BUFSIZ ) token[i++] = *lexptr++; token[i] = ''; yylval = atoi(token); - - -*- end deliver patch -*- - - --------------------------END INCLUDED TEXT-------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBNMXnvyh9+71yA2DNAQHhuwP/Y9ma0IykKS+mxNKWq5IawqnkhJj82vA1 qG0v9adx4pAzk3WablFJK1fh3q+DZaDC4zFT7kJ+AKr1OX5NzCk41yuTKBaKxFIA 1f4ersD1hot1q9F/sfTY52S9gskslM1V9LeDd1RYXVIThUUTej52QLoXF1Imzv9F +28l7QHlGMQ= =IwRC -----END PGP SIGNATURE-----