Re: Buffer overflow in procmail [suid!]

[Adam Prato <sirsyko () MERGIOO ISHIBOO COM>]

On Thu, Aug 10, 2000 at 12:19:25PM -0300, Aaron Campbell wrote:
> On Thu, 10 Aug 2000, Tobias von Koch wrote:
>
> > I think I've found a buffer overflow in procmail from Redhat 6.2 (v3.14
> > 1999/11/22, others not tested).
>
> [snip]
>
> > $ /usr/bin/procmail x=`perl -e "print 1x2054"`
> >  <Ctrl>-D
> > Segmentation fault
> >
> > You can get root privileges (with some code) now....
>
> The overflow occurs at the following call in asenvcpy() (in misc.c):
>
>       strcpy((char*)(sgetcp=buf2),++src);
>
> Notice right before that is a call to setids(). So procmail drops its
> privileges before the overflow occurs.
>
> But yikes, what a mess of code to read. Why is the source like this? Is it
> optimized for speed of compilation or something?

cant reproduce this on *bsd either.

> > You can get root privileges (with some code) now....

did you actually try?

<ss>