| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050820110728.GA12482@localhost.localdomain> Date: Sat Aug 20 12:07:34 2005 From: metaur at telia.com (Ulf Harnhammar) Subject: [RETRO AUDITING] Elm remote buffer overflow in Expires header Elm ( http://www.instinct.org/elm/ ) is a console-based e-mail application. It suffers from a remotely exploitable buffer overflow when parsing the Expires header of an e-mail message. The attacker only needs to send the victim an e-mail message. When the victim with that message in his or her inbox starts Elm or simply views the inbox in an already started copy of Elm, the buffer overflow will happen immediately. The overflow is stack-based, and it gives full control over EIP, EBP and EBX. It is caused by a bad sscanf(3) call, using a format string containing "%s" to copy from a long char array to a shorter array. This vulnerability affects at least the versions 2.5 PL7, 2.5 PL6, 2.5 PL5 and possibly others as well. It does not affect Elm ME+ or the newly released Elm 2.5 PL8, available at ftp://ftp.virginia.edu/pub/elm/ . I have attached a patch (against Elm 2.5 PL7) and a test message that exhibits this problem. // Ulf Harnhammar -------------- next part -------------- A non-text attachment was scrubbed... Name: elm-data.tar.gz Type: application/octet-stream Size: 673 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050820/d6980f50/elm-data.tar.obj
Powered by blists - more mailing lists