From zillion@snosoft.com Fri May 31 17:53:32 2002 From: zillion To: bugtraq@securityfocus.com Cc: staff@safemode.org Date: Fri, 31 May 2002 14:59:41 -0400 (EDT) Subject: SRT Security Advisory (SRT2002-04-31-1159): Mnews ====================================================================== Strategic Reconnaissance Team Security Advisory (SRT2002-04-31-1159) Topic : Mnews local and remote overflow vulnerabilities Date : May 31, 2002 Credit : zillion[at]safemode.org Site : http://www.snosoft.com ====================================================================== .: Description: --------------- Mnews is a small console based email and news client which is often installed setgid mail. Several local and remote overflows have been identified in this package. Local overflows where found in the -f, -n, -D, -M, -P parameters and in the JNAMES, MAILSERVER environment variables. The remote overflow resides in the code responsible for processing responses received from the NNTP server. For example the following response will result in an overflow: 200 If you look at the source code of mnews you will see that this package is very outdated and dangerous to use on todays Internet. .: Impact: ---------- Local users might be able to elevate their privileges on the affected systems. Remote malicious server owners can use mnews to penetrate an affected system. We strongly recommend to stop using mnews. .: Systems Affected: -------------------- Systems running the mnews package version 1.22 are affected. It is very likely that older versions are also affected. .: Proof of Concept: -------------------- A working exploit that illustrates the danger of this package will be released soon.