lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 4 Apr 2005 21:28:22 -0000
From: <patr0n@...ru>
To: bugtraq@...urityfocus.com
Subject: Local buffer overflow  on Aeon<=0.2a




#######################################################################

Application:  Aeon
              http://www.abenetkiewicz.neostrada.pl
Versions:     <= 0.2a
Platforms:    Linux
Bug:          buffer-overflow
Exploitation: local
Date:         04 Apr 2005
Author:       patr0n
              e-mail: patr0n@...ru
              web:    http://security-tmp.h14.ru

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Aeon is mail relay agent for Linux. It uses only personal configuration 
files, it does not have any support for aliases, groupmail etc. 
No advanced technology included :) It is not a daemon, it just takes 
the message from MUA and relays it to your smtp server. Nothing more, 
nothing less.

#######################################################################

======
2) Bug
======

The application is affected by a buffer-overflow in the function 
getConfig().
This function uses a strcpy() with a local buffer of 512 bytes where
it stores the text from environment HOME.

lib_aeon.c:
//--------------cut------------------

int getConfig(char settings[MAX_SETTINGS][MAX_LEN])
{
	char home[MAX_LEN];
//...................................
strcpy(home, getenv("HOME"));
	
//--------------cut------------------

The result is that an attacker could raise his privileges.

#######################################################################

===========
3) The Code
===========

You can view POC code from 
http://security-tmp.h14.ru/exploits/23laeon.c.txt

#######################################################################

======
4) Fix
======

No fix.

#######################################################################

--- 
patr0n
http://security-tmp.h14.ru

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ