Title: Solaris mailx -F Buffer Overflow Vulnerability
Severity: MODERATE
Description:
Solaris is the variant of the UNIX Operating System distributed by Sun Microsystems. Solaris is designed as a scalable operating system for the Intel x86 and Sun Sparc platforms, and operates on machines varying from desktop to enterprise server.
A problem in the checking if input to the -F option of the mailx program makes it possible for a user execute code on a local system, and gain elevated privileges.
The problem occurs in handling of a long string of characters by the -F flag. The -F flag is used to record the mail sent. When a mail is sent using the -F flag, the contents of the mail are saved in the to a file, the filename being that of the first recipient in the email.
By supplying a name exceeding 1150 characters as the first recipient of an email, a buffer overflow occurs in the -F option, allowing the overwriting of stack variables, including the return address. Since the mailx program is setGID mail, this vulnerability can be exploited to execute arbitrary code, and gain an EGID of mail.
Affected Products:
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1_x86
- Sun Solaris 2.6
- Sun Solaris 2.6_x86
- Sun Solaris 7.0
- Sun Solaris 7.0_x86
- Sun Solaris 8
- Sun Solaris 8_x86
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
