Solaris DTMail Mail Environment Variable Buffer Overflow Vulnerability

Solaris DTMail Mail Environment Variable Buffer Overflow Vulnerability

dtmail is an application included with the Common Desktop Environment, one of the X Window Managers included with Solaris.

A buffer overflow in dtmail makes it possible for a local user to gain elevated privileges. Due to improper bounds checking, it is possible to cause a buffer overflow in dtmail by filling the MAIL environment variable with 2000 or more characters. This results in the overwriting of stack variables, including the return address, and can allow a local user to gain an effective GID of mail.