• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Mailx Buffer Overflow Vulnerability

Severity: MODERATE

Description:

Most free unix operating systems ship with command-line e-mail utilities. One of the popular packages used is BSD Mailx. The 'mail' program, a component of MailX contains a buffer overflow vulnerability that may be exploitable by local users.

The overflow condition occurs when a user running the 'mail' utility arguments the 't' command with a large number of numeral characters. The 't' command is used when a user wishes to read a specific message and it is argumented with the number of the message.

During the interpretation of this string into a numerical value, a stack overflow will occur if there are too many 'numeral' characters. It may be possible to exploit this vulnerability in a typical stack overflow manner. This would involve an exploit program overwriting a return address on the stack with a pointer to supplied shellcode. The fact that only the characters representing numerals can be used may complicate or limit exploitatability.

On some systems, this utility is installed setgid 'mail'. If this is the case, then the buffer overflow condition can be used to execute arbitrary code with these enhanced privileges.

Affected Products:

• Caldera OpenLinux 2.3.0
• Debian Linux 2.2.0
• SCO eDesktop 2.4.0
• SCO eServer 2.3.1
• SGI IRIX 6.5.0
• SGI IRIX 6.5.1
• SGI IRIX 6.5.10
• SGI IRIX 6.5.11f
• SGI IRIX 6.5.11m
• SGI IRIX 6.5.12 f
• SGI IRIX 6.5.12 m
• SGI IRIX 6.5.13 f
• SGI IRIX 6.5.13 m
• SGI IRIX 6.5.14 f
• SGI IRIX 6.5.14 m
• SGI IRIX 6.5.15f
• SGI IRIX 6.5.15m
• SGI IRIX 6.5.2
• SGI IRIX 6.5.3
• SGI IRIX 6.5.4
• SGI IRIX 6.5.5
• SGI IRIX 6.5.6
• SGI IRIX 6.5.7
• SGI IRIX 6.5.8
• SGI IRIX 6.5.9
• Slackware Linux 7.0.0

References:

• SosPiro <sospiro@freemail.it>: /usr/bin/Mail buffer 0verfl0w

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.