On Mon, 2001-10-01 at 04:57:14, Gerald Goebel wrote:
> > Sorry guys for replying to my own message twice, but I've got more
> > exciting news and updated information about the bug. The problem is not big
> > header in general, but big 'To:' field (and possibly others). Yes, it
> > happens that e-mail messages have To: field composed of 50 or more lines
> > (I've got loads of monster-messages like this stuffing my mail queue). There
> > must be a buffer overrun somewere there, possibly in the code generating
> > notify (I use notify through a unix socket). Who knows, that might even
> > be a remotely exploitable hole if that's a classig buffer overrun.
> >
> > I'm sending Cc: of this letter to [EMAIL PROTECTED]
>
> If you are using fetchmail look here:
>
> Thomas Biege wrote:
> >
> > Fetchmail is a tool for retrieving and forwarding mail. Two vulnerabilities
> > in the code of fetchmail were found in the last weeks.
> > 1.) By sending a header with a large "To:" line a buffer overflow will
> > be triggered in the header parsing code.
[ ... ]
I don't use fetchmail at the moment but I see that in cyrus code elementary
programming bugs can be found. Look at this fragment from notify_unix.c:
void notify(const char *class,
const char *instance,
const char *user,
const char *mailbox,
const char *message)
{
char messageToSend[2048];
char dir[DIRSIZE];
[...]
memset( messageToSend, 0, sizeof(messageToSend));
sprintf (messageToSend,"%s\n%s\n%s\n%s\n%s\n",class,instance,user,mailbox,message);
It's obvious, that To: field longer then about 2000 bytes will crash the
lmtpd or even allow hackers to exploit it remotely, at least when notify_unix
is activated.
I spent a few days figuring out why this beast was crashing. And all
because lots of people still are unaware of elementary secure programing
issues, hence they make trivial mistakes such as sprintf()-ing variable
length string into a fixed size buffer. Sigh...
Cheers,
--
Szymon Juraszczyk, [EMAIL PROTECTED]
Surfland Computer Systems S.A.
tel. +48 71 78-02-952, http://www.ssk.com.pl/
