COMMAND

    elm

SYSTEMS AFFECTED

    elm-2.5.alpha3

PROBLEM

    'Flatline' found following.   HP-UX 11.00 ships with  a vulnerable
    version  of   the  elm   MUA,  it   contains  a   buffer  overflow
    vulnerability in the -s (subject) argument.

    He found that  version 2.5.0 had  the bug fixed  so he looked  for
    older versions to check and it seems that the most recent  version
    to contain this bug was 2.5.alpha3.

    'Flatline'  has  only  tested  this  on  HP-UX 11.00, although any
    system shipped  with elm-2.5.alpha3  is almost  certainly affected
    by this bug.

    This program is setgid mail,  so an attacker could gain  egid mail
    on the system and read/modify other users' mail.  Example:

        (achter05@oege) /user2/i99/achter05 $ uname -a
        HP-UX oege B.11.00 D 9000/887 1948791292 64-user license
        (achter05@oege) /user2/i99/achter05 $ elm -s `perl -e '{print "A"x5376}'`
        some_recipient
        Segmentation fault
        (achter05@oege) /user2/i99/achter05 $

    5376 characters worked, you might need a bit more or a bit less to
    accomplish the same effect on your system.

    Problematic code, in args.c, function 'parse_arguments':

                 to_whom[0] = '\0';
                 batch_subject[0] = '\0';
                 included_file[0] = '\0';
        
                 while ((c = getopt(argc, argv, "?acd:f:hi:kKms:tVvz")) != EOF) {
                    switch (c) {
                      case 'a' : arrow_cursor++;         break;
                      case 'c' : check_only++; use_tite = 0;     break;
                      case 'd' : debug = atoi(optarg);   break;
         >>           case 'f' : strcpy(req_mfile, optarg);      break;
                      case '?' :
                      case 'h' : args_help();
         >>           case 'i' : strcpy(included_file, optarg);  break;
                      case 'k' : hp_terminal++;  break;
                      case 'K' : hp_terminal++; hp_softkeys++;   break;
                      case 'm' : mini_menu = 0;  break;
         >>           case 's' : strcpy(batch_subject, optarg);  break;
                      case 't' : use_tite = 0;   break;
                      case 'V' : sendmail_verbose++;     break;
                      case 'v' : args_version();
                      case 'z' : check_size++;   break;
                     }
                  }

    'Flatline' also pointed  out other insecure  (non-bounds checking)
    strcpy()  calls,  but  those  vulnerabilites  have  been  reported
    before.  All vulnerable  strcpy() statements copy a  user supplied
    string into a buffer of SLEN (256) bytes.  Feeding the argument  a
    string of more than 256 characters in length will crash it.

        hdrs/defs.h:#define SLEN                256         /* long for ensuring no overwrites... */

    It's interesting to see that  the author thought his buffers  were
    safe by using a seemingly large buffer length.  Another thing that
    raised our  eyebrows was  the fact  that the  '-f' overflow was in
    fact fixed in this install and  the '-i' and '-s' were not  (while
    suffering from the exact same overflow conditions).

SOLUTION

    HP-UX 11.00 ships with an  older (hacked?) version of the  elm MUA
    so all  you'd have  to do  is download  the latest  stable version
    (2.5.3) from:

        http://www.instinct.org/elm/files/tarballs/elm2.5.3.tar.gz

    You could also remove the setgid bit and wait for HP to officially
    issue a patch.