elm bug ver 2.5.3 maybe others. (not suid on linux but suid on other OS.)

From: Ehud Tenenbaum (analyzerat_private)
Date: Sat Feb 23 2002 - 22:45:12 PST

  • Next message: Philip Guenther: "re: bug in procmail (ver 3.14 maybe others?)" 

    Hey,

2xs Security team found new bug in elm, although its not suid
on linux systems(redhat 6.2, mandrak 8.0, slackware 7.1) we 
believe its suid on other kind of *nix OS such as HP-UX

w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ id
uid=100(w00p) gid=100(users) groups=100(users)
w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$

w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ export EDITOR=`perl -e 'print "A"
x 2000;'`
w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ elm
 
Notice:  ELM requires an ".elm" subdirectory off your home directory
to hold information such as your configuration preferences (the
"elmrc" file) and aliases.
 
May I create this directory for you (yes/no/quit) ? [y] : n
Segmentation fault
w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$

w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ gdb ./elm
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-slackware-linux"...
(gdb) r
Starting program: /tmp/w00p/elm2.5.3/bin/./elm
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.

Notice:  ELM requires an ".elm" subdirectory off your home directory
to hold information such as your configuration preferences (the
"elmrc" file) and aliases.

May I create this directory for you (yes/no/quit) ? [y] : n

Program received signal SIGSEGV, Segmentation fault.
0x40074486 in catgets () from /lib/libc.so.6
(gdb) where
#0  0x40074486 in catgets () from /lib/libc.so.6
#1  0x805b6a6 in create_private_dir ()
#2  0x805b3fc in initialize ()
#3  0x80520bd in main ()
#4  0x4006faa7 in __libc_start_main () from /lib/libc.so.6
(gdb) info registers
eax            0x41414141       1094795585
ecx            0x40014000       1073823744
edx            0x0      0
ebx            0x4013bed4       1075035860
esp            0xbfffeca0       0xbfffeca0
ebp            0xbfffecb4       0xbfffecb4
esi            0x41414141       1094795585
edi            0xbffff264       -1073745308
eip            0x40074486       0x40074486
eflags         0x10202  66050
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0xbffff8a4       -1073743708
fop            0x0      0
(gdb)

Bug was found with BOS, Binary Overflow Scanner tool made
by 2xs Security team.

At this point we shall not release an exploit.
For Questions or Comments:

Ehud Tenenbaum <analyzerat_private> CTO & Project manager.
Izik Kotler <izikat_private> Senior programmer.
Mixter <mixterat_private> Senior programmer.
acz <aczat_private> QA/Programmer.

-- 
------------
Ehud Tenenbaum
C.T.O & Project Manager 
2xs LTD. 
Tel: 972-9-9519980
Fax: 972-9-9519982
E-Mail: ehudat_private
------------ 
                                 Have A Safe Day

    This archive was generated by hypermail 2b30 : Sun Feb 24 2002 - 21:11:17 PST