Hi, Elm 2.5 PL6, of August 7, 2001 isn't affected as you can see: # export EDITOR=`perl -e 'print "A" x 2000;'` # elm Notice: ELM requires an ".elm" subdirectory off your home directory to hold information such as your configuration preferences (the "elmrc" file) and aliases. May I create this directory for you (yes/no/quit) ? [y] : n Very well, but you may run into difficulties later. Nothing happens I don't think my version is old enough to manifest this vulnerability. Thanks Noam Rathaus http://www.SecurITeam.com http://www.BeyondSecurity.com ----- Original Message ----- From: "Ehud Tenenbaum" <analyzerat_private> To: <vuln-devat_private> Sent: Sunday, February 24, 2002 08:45 Subject: elm bug ver 2.5.3 maybe others. (not suid on linux but suid on other OS.) > Hey, > > 2xs Security team found new bug in elm, although its not suid > on linux systems(redhat 6.2, mandrak 8.0, slackware 7.1) we > believe its suid on other kind of *nix OS such as HP-UX > > w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ id > uid=100(w00p) gid=100(users) groups=100(users) > w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ > > w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ export EDITOR=`perl -e 'print "A" > x 2000;'` > w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ elm > > Notice: ELM requires an ".elm" subdirectory off your home directory > to hold information such as your configuration preferences (the > "elmrc" file) and aliases. > > May I create this directory for you (yes/no/quit) ? [y] : n > Segmentation fault > w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ > > w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ gdb ./elm > GNU gdb 5.0 > Copyright 2000 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you > are > welcome to change it and/or distribute copies of it under certain > conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for > details. > This GDB was configured as "i386-slackware-linux"... > (gdb) r > Starting program: /tmp/w00p/elm2.5.3/bin/./elm > warning: Unable to find dynamic linker breakpoint function. > GDB will be unable to debug shared library initializers > and track explicitly loaded dynamic code. > > Notice: ELM requires an ".elm" subdirectory off your home directory > to hold information such as your configuration preferences (the > "elmrc" file) and aliases. > > May I create this directory for you (yes/no/quit) ? [y] : n > > Program received signal SIGSEGV, Segmentation fault. > 0x40074486 in catgets () from /lib/libc.so.6 > (gdb) where > #0 0x40074486 in catgets () from /lib/libc.so.6 > #1 0x805b6a6 in create_private_dir () > #2 0x805b3fc in initialize () > #3 0x80520bd in main () > #4 0x4006faa7 in __libc_start_main () from /lib/libc.so.6 > (gdb) info registers > eax 0x41414141 1094795585 > ecx 0x40014000 1073823744 > edx 0x0 0 > ebx 0x4013bed4 1075035860 > esp 0xbfffeca0 0xbfffeca0 > ebp 0xbfffecb4 0xbfffecb4 > esi 0x41414141 1094795585 > edi 0xbffff264 -1073745308 > eip 0x40074486 0x40074486 > eflags 0x10202 66050 > cs 0x23 35 > ss 0x2b 43 > ds 0x2b 43 > es 0x2b 43 > fs 0x0 0 > gs 0x0 0 > fctrl 0x37f 895 > fstat 0x0 0 > ftag 0xffff 65535 > fiseg 0x0 0 > fioff 0x0 0 > foseg 0x0 0 > fooff 0xbffff8a4 -1073743708 > fop 0x0 0 > (gdb) > > Bug was found with BOS, Binary Overflow Scanner tool made > by 2xs Security team. > > At this point we shall not release an exploit. > For Questions or Comments: > > Ehud Tenenbaum <analyzerat_private> CTO & Project manager. > Izik Kotler <izikat_private> Senior programmer. > Mixter <mixterat_private> Senior programmer. > acz <aczat_private> QA/Programmer. > > -- > ------------ > Ehud Tenenbaum > C.T.O & Project Manager > 2xs LTD. > Tel: 972-9-9519980 > Fax: 972-9-9519982 > E-Mail: ehudat_private > ------------ > Have A Safe Day >
This archive was generated by hypermail 2b30 : Mon Feb 25 2002 - 17:31:06 PST