Sorry I am immensely bored today so actually reading email!
its actually a problem with /bin/mail and how it handles the CC field.
/bin/mail -s Test -c `perl -e 'print "A" 8224'` [EMAIL PROTECTED]
segfaults and overwrites eip at 8224 characters (segfaults without eip
at 8220)
dont have to be using zsh to create this problem.
there isnt really alot of worry unless /bin/mail was setuid/setgid...
easy to spawn a shell.. I've put a messy perl exploit together
(www.vulndev.org) run it, insert your '.' and <CR> and you should get a
shell.
--
Mark
www.vulndev.org
'If ignorant both of the enemy and yourself,
you are certain in every battle to be in peril'
If you know yourself, knowing the enemy does not matter.
-- Sun Tzu - The Art of War
(Adapted)
signature.asc
Description: This is a digitally signed message part
