• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

EFax UUCP-style Lock File Command Line Option Buffer Overflow Vulnerability

efax is an easy-to-use fax utility that ships with a number of Linux distributions. efax also ships with the KDE desktop.

efax does not perform proper bounds checking on command line options. In particular, the buffer for the -x switch can be overrun, causing memory to be overwritten. As a result the attacker may be able to overwrite stack variables, such as the return address, to cause attacker-supplied instructions to be executed.

efax is not installed setuid root in most circumstances. However, it may be installed setuid root when built from scratch by a user. This is known to be the case with the version of efax that ships with the kde-2.2.1 source build and install as part of the klprfax app in the kdeutils package. The issue of efax being installed setuid root has apparently been remedied in the kde-2.2.2 source build. This does not discount the possibility of other instances where efax is installed with setuid root privileges.

In the case that efax is installed setuid root, this vulnerability may allow a local attacker to escalate their privileges to that of the root user.