Vulnerability Development mailing list archives
Re: Buffer overflow in procmail [suid!]
From: Aaron Campbell <aaron () CS DAL CA>
Date: Thu, 10 Aug 2000 12:19:25 -0300
On Thu, 10 Aug 2000, Tobias von Koch wrote:
I think I've found a buffer overflow in procmail from Redhat 6.2 (v3.14 1999/11/22, others not tested).
[snip]
$ /usr/bin/procmail x=`perl -e "print 1x2054"` <Ctrl>-D Segmentation fault You can get root privileges (with some code) now....
The overflow occurs at the following call in asenvcpy() (in misc.c):
strcpy((char*)(sgetcp=buf2),++src);
Notice right before that is a call to setids(). So procmail drops its
privileges before the overflow occurs.
But yikes, what a mess of code to read. Why is the source like this? Is it
optimized for speed of compilation or something?
.
: Aaron Campbell <aaron () cs dal ca> - [ http://www.biodome.org/~fx ]
`-------------------------------------------------------------------
Current thread:
- Buffer overflow in procmail [suid!] Tobias von Koch (Aug 10)
- Re: Buffer overflow in procmail [suid!] Aaron Campbell (Aug 10)
- Re: Buffer overflow in procmail [suid!] Adam Prato (Aug 10)
- Re: Buffer overflow in procmail [suid!] rpc (Aug 10)
- Re: Buffer overflow in procmail [suid!] HD Moore (Aug 14)
- Re: Buffer overflow in procmail [suid!] Michal Zalewski (Aug 14)
- Re: Buffer overflow in procmail [suid!] Michal Zalewski (Aug 10)
- Re: Buffer overflow in procmail [suid!] Martin MOKREJŠ (Aug 14)
- Re: Buffer overflow in procmail [suid!] Aaron Campbell (Aug 10)