==============Original message text===============
From: Magosányi Árpád <mag@???>
To: VULN-DEV@??? <VULN-DEV@???>
Date: Thursday, January 11, 2001, 5:51:34 AM
Subject: exim and ip options?
Hi!
I have found some very interesting code in exim.
(it is at least in 3.12 - 3.20)
src/smtp_in.c, in function smtp_start_session(),
when it handles ip options:
default:
{
int i;
strcat(p, "[");
p += 2;
for (i = 0; i < opt[1]; i++)
{
sprintf(p, "%2.2x ", opt[i]);
p += 3;
}
*p++ = ']';
}
opt += opt[1];
break;
}
}
p is a pointer (initially) inside a "big" buffer with length of
1024. It seems to be a nice opportunity for a buffer overrun,
minus it is on heap and very limited in the useable opcodes.
I am not able to write an exploit, or even to confirm
the exploitability of such a code.
Any ideas?
Please cc: me as I am not on the list.
--
GNU GPL: csak tiszta forrásból
===========End of original message text===========
--
Dimitry
