Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Buffer overflow in procmail [suid!]

From: rpc <rpc () INETARENA COM>
Date: Thu, 10 Aug 2000 12:12:28 -0700
tobias,

on debian linux (2.2), procmail does not segfault.

also, on redhat 6.1, and 5.0 the user input does not overwrite any
registers.

for any length of input, the result in gdb is always:

Starting program: /usr/bin/procmail x=`perl -e "print 'A'x8000;"`

Program received signal SIGSEGV, Segmentation fault.
strcpy (dest=0x8057f40 'A' <repeats 200 times>...,
    src=0x805773a 'A' <repeats 200 times>...) at
../sysdeps/generic/strcpy.c:35
../sysdeps/generic/strcpy.c:35: No such file or directory.
(gdb)

without eip, how did you gain root privs? is this not the case on rh 6.2?

--rpc <h () ckz org>

On Thu, 10 Aug 2000, Tobias von Koch wrote:


hi,

I think I've found a buffer overflow in procmail from Redhat 6.2 (v3.14
1999/11/22, others not tested).

Procmail is installed set-uid root and set-gid mail by default:
-rwsr-sr-x    1 root     mail        76432 Feb  7  2000 /usr/bin/procmail

First try this:

$ /usr/bin/procmail x=`perl -e "print 1x2053"`
 <Ctrl>-D      /* Procmail waits for mail */
procmail: Exceeded LINEBUF

Procmail recognizes that the line is a bit too long. alright.
But if you try something bigger than 2053...

$ /usr/bin/procmail x=`perl -e "print 1x2054"`
 <Ctrl>-D
Segmentation fault

You can get root privileges (with some code) now....

tobias
Previous By Date Next
Previous By Thread Next

Current thread: