[Full-disclosure] [RETRO AUDITING] Elm remote buffer overflow in Expires header
From: Ulf Harnhammar (metaur_at_telia.com)
Date: 08/20/05
- Previous message: ad_at_class101.org: "Re: [Full-disclosure] FrSIRT False Alarm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 20 Aug 2005 13:07:28 +0200 To: full-disclosure@lists.grok.org.uk
Elm ( http://www.instinct.org/elm/ ) is a console-based e-mail
application. It suffers from a remotely exploitable buffer overflow
when parsing the Expires header of an e-mail message.
The attacker only needs to send the victim an e-mail message. When
the victim with that message in his or her inbox starts Elm or
simply views the inbox in an already started copy of Elm, the buffer
overflow will happen immediately. The overflow is stack-based,
and it gives full control over EIP, EBP and EBX. It is caused by a
bad sscanf(3) call, using a format string containing "%s" to copy
from a long char array to a shorter array.
This vulnerability affects at least the versions 2.5 PL7,
2.5 PL6, 2.5 PL5 and possibly others as well. It does not
affect Elm ME+ or the newly released Elm 2.5 PL8, available at
ftp://ftp.virginia.edu/pub/elm/ .
I have attached a patch (against Elm 2.5 PL7) and a test message
that exhibits this problem.
// Ulf Harnhammar
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- application/octet-stream attachment: elm-data.tar.gz
- Previous message: ad_at_class101.org: "Re: [Full-disclosure] FrSIRT False Alarm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
