Linux ( Debian 1.3.1, Slackware 2.x )


    Following  is  based  mostly  on  KSR[T]  Advisory  #006.  deliver
    (version 2.0.12 and  below) is a  program that delivers  mail once
    it has arrived at a given system.  In the function copy_message(),
    there is  a stack  overwrite that  can allow  local users  execute
    arbitrary code as root.  From copymsg.c:

        char    buf[BUFSIZ];
        b = (fgets(buf, GETSIZE(buf), stdin) ? TRUE : FALSE);
        from_line = copystr(buf);
        (void) strcpy(from_line, buf);
        (void) strcpy(buf, "Invalid-UUCP-From: ");
        (void) strcat(buf, from_line);

    If, in the above, buf contains size BUFSIZ amount of data, you can
    overwrite 19 bytes ( the size of "Invalid-UUCP-From: " ) past buf.
    Unfortunately, that is enough to overwrite the return stack frame.
    Users with an account on the machine can gain root access.   Under
    certain situations this might be exploitable remotely.


    Normally, Deliver is installed suid root.  There are other  buffer
    overflow bugs  in versions  of Deliver  currently in  use.  If you
    use Deliver  or know  someone who  does, it  is strongly suggested
    upgrading to Deliver 2.1.13.  Here's one place to get it: