BSD mailx 8.1.1-10 Buffer Overflow Vulnerability

Bugtraq ID:	1305
Class:	Boundary Condition Error
CVE:	CVE-2000-0545
Remote:	No
Local:	Yes
Published:	Jun 02 2000 12:00AM
Updated:	Jul 11 2009 02:56AM
Credit:	Exploit posted to BugTraq on June 2, 2000 by Paulo Ribeiro <[email protected]>
Vulnerable:	BSD mailx 8.1.1 -10 + Caldera OpenLinux 2.3 - Debian Linux 2.2 - Debian Linux 2.1 - Debian Linux 2.0 r2 + SCO eDesktop 2.4 + SCO eServer 2.3.1 - Slackware Linux 4.0 - Slackware Linux 3.6 - Slackware OpenLinux 7.0
Not Vulnerable:	Slackware Linux 3.9 Slackware Linux 3.5 Slackware Linux 3.4 Slackware Linux 3.3 Slackware Linux 3.2 Slackware Linux 3.1

BSD mailx 8.1.1-10 Buffer Overflow Vulnerability

Some Linux distributions ship with BSD mailx 8.1.1-10 (On Slackware 7.x it can be found as /usr/bin/Mail).

A vulnerability exists in the 'mail' program, part of the Berkeley mailx package. The 'mail' program contains a buffer overflow condition that is present when the -c parameter is used at the command line.

On systems where it is installed setgid, this vulnerability can be exploited to gain group 'mail' privileges.

BSD mailx 8.1.1-10 Buffer Overflow Vulnerability

Both exploits work with Slackware Linux; use mail-deb.c to test Debian distributions.

• /data/vulnerabilities/exploits/mail-slak.c
• /data/vulnerabilities/exploits/mail-deb.c

BSD mailx 8.1.1-10 Buffer Overflow Vulnerability

Solution:
The following patch was designed specifically for mailx 8.1.1-10 distributed with Debian, but should work on other distributions as well.

Caldera has released packages that fix the vulnerability.


BSD mailx 8.1.1 -10

• Caldera OpenLinux 2.3 mailx-8.1.1-12OL.i386.rpm
  ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ma ilx-8.1.1-12OL.i386.rpm


• Debian deb-mailx.patch
  http://www.securityfocus.com/data/vulnerabilities/patches/deb-mailx.pa tch

BSD mailx 8.1.1-10 Buffer Overflow Vulnerability

References: