Vulnerability Development mailing list archives
Re: Buffer overflow in procmail [suid!]
From: Adam Prato <sirsyko () MERGIOO ISHIBOO COM>
Date: Thu, 10 Aug 2000 15:34:40 -0400
On Thu, Aug 10, 2000 at 12:19:25PM -0300, Aaron Campbell wrote:
On Thu, 10 Aug 2000, Tobias von Koch wrote:I think I've found a buffer overflow in procmail from Redhat 6.2 (v3.14 1999/11/22, others not tested).[snip]$ /usr/bin/procmail x=`perl -e "print 1x2054"` <Ctrl>-D Segmentation fault You can get root privileges (with some code) now....The overflow occurs at the following call in asenvcpy() (in misc.c): strcpy((char*)(sgetcp=buf2),++src); Notice right before that is a call to setids(). So procmail drops its privileges before the overflow occurs. But yikes, what a mess of code to read. Why is the source like this? Is it optimized for speed of compilation or something?
cant reproduce this on *bsd either.
You can get root privileges (with some code) now....
did you actually try? <ss>
Current thread:
- Buffer overflow in procmail [suid!] Tobias von Koch (Aug 10)
- Re: Buffer overflow in procmail [suid!] Aaron Campbell (Aug 10)
- Re: Buffer overflow in procmail [suid!] Adam Prato (Aug 10)
- Re: Buffer overflow in procmail [suid!] rpc (Aug 10)
- Re: Buffer overflow in procmail [suid!] HD Moore (Aug 14)
- Re: Buffer overflow in procmail [suid!] Michal Zalewski (Aug 14)
- Re: Buffer overflow in procmail [suid!] Michal Zalewski (Aug 10)
- Re: Buffer overflow in procmail [suid!] Martin MOKREJŠ (Aug 14)
- Re: Buffer overflow in procmail [suid!] Aaron Campbell (Aug 10)