Vulnerability Development mailing list archives
Re: Buffer overflow in procmail [suid!]
From: rpc <rpc () INETARENA COM>
Date: Thu, 10 Aug 2000 12:12:28 -0700
tobias, on debian linux (2.2), procmail does not segfault. also, on redhat 6.1, and 5.0 the user input does not overwrite any registers. for any length of input, the result in gdb is always: Starting program: /usr/bin/procmail x=`perl -e "print 'A'x8000;"` Program received signal SIGSEGV, Segmentation fault. strcpy (dest=0x8057f40 'A' <repeats 200 times>..., src=0x805773a 'A' <repeats 200 times>...) at ../sysdeps/generic/strcpy.c:35 ../sysdeps/generic/strcpy.c:35: No such file or directory. (gdb) without eip, how did you gain root privs? is this not the case on rh 6.2? --rpc <h () ckz org> On Thu, 10 Aug 2000, Tobias von Koch wrote:
hi, I think I've found a buffer overflow in procmail from Redhat 6.2 (v3.14 1999/11/22, others not tested). Procmail is installed set-uid root and set-gid mail by default: -rwsr-sr-x 1 root mail 76432 Feb 7 2000 /usr/bin/procmail First try this: $ /usr/bin/procmail x=`perl -e "print 1x2053"` <Ctrl>-D /* Procmail waits for mail */ procmail: Exceeded LINEBUF Procmail recognizes that the line is a bit too long. alright. But if you try something bigger than 2053... $ /usr/bin/procmail x=`perl -e "print 1x2054"` <Ctrl>-D Segmentation fault You can get root privileges (with some code) now.... tobias
Current thread:
- Buffer overflow in procmail [suid!] Tobias von Koch (Aug 10)
- Re: Buffer overflow in procmail [suid!] Aaron Campbell (Aug 10)
- Re: Buffer overflow in procmail [suid!] Adam Prato (Aug 10)
- Re: Buffer overflow in procmail [suid!] rpc (Aug 10)
- Re: Buffer overflow in procmail [suid!] HD Moore (Aug 14)
- Re: Buffer overflow in procmail [suid!] Michal Zalewski (Aug 14)
- Re: Buffer overflow in procmail [suid!] Michal Zalewski (Aug 10)
- Re: Buffer overflow in procmail [suid!] Martin MOKREJŠ (Aug 14)
- Re: Buffer overflow in procmail [suid!] Aaron Campbell (Aug 10)