Local buffer overflow on Aeon<=0.2a

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Local buffer overflow on Aeon<=0.2a
From: <patr0n@xxxxx>
Date: 4 Apr 2005 21:28:22 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


#######################################################################

Application:  Aeon
              http://www.abenetkiewicz.neostrada.pl
Versions:     <= 0.2a
Platforms:    Linux
Bug:          buffer-overflow
Exploitation: local
Date:         04 Apr 2005
Author:       patr0n
              e-mail: patr0n@xxxxx
              web:    http://security-tmp.h14.ru

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Aeon is mail relay agent for Linux. It uses only personal configuration 
files, it does not have any support for aliases, groupmail etc. 
No advanced technology included :) It is not a daemon, it just takes 
the message from MUA and relays it to your smtp server. Nothing more, 
nothing less.

#######################################################################

======
2) Bug
======

The application is affected by a buffer-overflow in the function 
getConfig().
This function uses a strcpy() with a local buffer of 512 bytes where
it stores the text from environment HOME.

lib_aeon.c:
//--------------cut------------------

int getConfig(char settings[MAX_SETTINGS][MAX_LEN])
{
        char home[MAX_LEN];
//...................................
strcpy(home, getenv("HOME"));
        
//--------------cut------------------

The result is that an attacker could raise his privileges.

#######################################################################

===========
3) The Code
===========

You can view POC code from 
http://security-tmp.h14.ru/exploits/23laeon.c.txt

#######################################################################

======
4) Fix
======

No fix.

#######################################################################

--- 
patr0n
http://security-tmp.h14.ru

Prev by Date: SUSE Security Announcement: kernel local privilege escalation (SUSE-SA:2005:021)
Next by Date: AW: PayPal "security" measures
Previous by thread: SUSE Security Announcement: kernel local privilege escalation (SUSE-SA:2005:021)
Next by thread: Microsoft Windows Internet Name Service (WINS) Remote Heap Overflow Exploit
Index(es):
- Date
- Thread