Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Solaris dtmail Buffer Overflow Vulnerability

Solaris dtmail Buffer Overflow Vulnerability

by phiber on July 25th, 2001 dtmail is a mail user agent (MUA) shipped as a part of Solaris CDE. It is installed setgid mail by default.
The vulnerability results because dtmail do not provide valid boundary check to certain environment variables, which allows an attacker to launch a buffer overflow attack.


In case that the MAIL environment variable is a over-length character string (for instance, longer than 1500 bytes), a stack buffer overflow would occur. The attacker could overwrite the returned address and run arbitrary code with mail group privilege.



Workaround:

Drop the sgid mail attribute of dtmail:
# chmod g-s /usr/dt/bin/dtmail


Patches and updates

Solaris 2.6 with the following patches is not affected:

SunOS 5.6 SPARC : 105338-27

SunOS 5.6 x86 : 105339-25



Solaris 7 with the following latest patches is still affected:

SunOS 5.7 SPARC : 107200-12

SunOS 5.7 x86 : 107201-12

Solaris 8 is not affected.

If your system is not on the list, download a patch.


Exploit:

Download it here.


NSFocus Security Advisory


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »