Date: Fri, 21 Apr 2000 17:57:35 +0400 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> To: sendmail-bugs@sendmail.org, ports@FreeBSD.org Subject: unsafe fgets() using in mail.local Message-ID: <3748.000421@SECURITY.NNOV.RU>
next in thread | raw e-mail | index | archive | help
Hello,
Topic: unsafe fgets() using in mail.local
Software affected: mail.local from FreeBSD and sendmail
distribution.
Description: malicious user can corrupt user's mailbox
causing user to loose email message.
Background:
In unix systems e-mail delivered to user is usually stored in his
mailbox, which has predefined format (so-called "unix mailbox" or
"berkley mailbox"). This mailbox holds messages in plain format
separated by empty line ("\n") and specially formed "From " header.
The pattern of the next message in mailbox is "\n\nForm ".
Then local mail programs (f.e. mail.local) delivers message to user's
mailbox it searches for this pattern and if message contains one
"From " will be commented out by '>' and additional '\n' will be
added to message if necessary. This assumes mailbox integrity and
protects from e-mail spoofing.
Problem description:
Then parsing incoming email mail.local uses fgets() call with buffer
size 2048. If the last line of the message is exactly 2048 bytes
fgets() will return 2 string and the last one will be "\n". In this
case mail.local will not add '\n' character to the end of email, and
the next message in unix (berkley) mailbox (if there is one) will be
"glued" to this one. Specially crafting e-mail message attacker can
cause user to loose one message which comes after attacker's one.
http://www.security.nnov.ru
/\_/\
{ . . } |\
+--oQQo->{ ^ }<-----+ \
| 3APA3A U 3APA3A }
+-------------o66o--+ /
|/
You know my name - look up my number (The Beatles)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3748.000421>