Local buffer overflow on Aeon<=0.2a
#######################################################################
Application: Aeon
http://www.abenetkiewicz.neostrada.pl
Versions: <= 0.2a
Platforms: Linux
Bug: buffer-overflow
Exploitation: local
Date: 04 Apr 2005
Author: patr0n
e-mail: patr0n@xxxxx
web: http://security-tmp.h14.ru
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Aeon is mail relay agent for Linux. It uses only personal configuration
files, it does not have any support for aliases, groupmail etc.
No advanced technology included :) It is not a daemon, it just takes
the message from MUA and relays it to your smtp server. Nothing more,
nothing less.
#######################################################################
======
2) Bug
======
The application is affected by a buffer-overflow in the function
getConfig().
This function uses a strcpy() with a local buffer of 512 bytes where
it stores the text from environment HOME.
lib_aeon.c:
//--------------cut------------------
int getConfig(char settings[MAX_SETTINGS][MAX_LEN])
{
char home[MAX_LEN];
//...................................
strcpy(home, getenv("HOME"));
//--------------cut------------------
The result is that an attacker could raise his privileges.
#######################################################################
===========
3) The Code
===========
You can view POC code from
http://security-tmp.h14.ru/exploits/23laeon.c.txt
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
---
patr0n
http://security-tmp.h14.ru