pine-bof-10000.txt

`Date: Mon, 8 Feb 1999 21:19:29 +0000  
From: Chris Evans <[email protected]>  
To: [email protected]  
Subject: Pine _again_ :)  
  
Hi,  
  
PINE seems to be flavour of the month so I'll add to Michal's post. This  
is much less serious than Michal's problem but probably noteworthy anyway.  
  
PINE can be made to crash if /var/spool/mail/<who> contains a line along  
the lines of  
  
"From AAAAAAAAAAAA" where the A's number ~10000. If you are lucky your  
MTA will truncate this line safely, preventing remote exploit.  
  
I discovered this by "accident" playing with procmail locally - procmail  
places no limits on what junk you can inject into other peoples'  
mailboxes.  
  
The affected pine version is 4.04 as comes with RedHat 5.2. Pine 4.10  
untested. If someone wants to test it and can't get it to work contact me  
for a ready made MBOX file. To get the crash to happen I _think_ the  
message has to be viewed. But that's what people tend to do with mail ;-)  
The actual crash occurs when the product exits.  
  
The overflow isn't onto the stack but there are definite exploit  
opportunities. On i386 and 100,000 A's, the core dump indicates  
edi=0x41414141 which suggests we can copy data to an arbitrary location in  
virtual memory.  
  
Cheers  
Chris  
  
`