Vulnerability Development mailing list archives
Re: Buffer overflow in procmail [suid!]
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Fri, 11 Aug 2000 11:03:51 +0200
On Thu, 10 Aug 2000, rpc wrote:
tobias, on debian linux (2.2), procmail does not segfault. also, on redhat 6.1, and 5.0 the user input does not overwrite any registers. for any length of input, the result in gdb is always: Starting program: /usr/bin/procmail x=`perl -e "print 'A'x8000;"`
There are two different possibilities (aka crash-points). One occours with x=blahblah, and second occours in blahblah=x (both at different buffer sizes). Both aren't exploitable in easy way (we spend some time on it already), but probably it's possible. Anyway, you won't gain root privledges for sure - only, in some cases, you'll be able to gain saved uid mail.
without eip, how did you gain root privs? is this not the case on rh 6.2?
First of all, no root privledges. Second, it's possible to take control over program without overwriting ret addr. _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Current thread:
- Buffer overflow in procmail [suid!] Tobias von Koch (Aug 10)
- Re: Buffer overflow in procmail [suid!] Aaron Campbell (Aug 10)
- Re: Buffer overflow in procmail [suid!] Adam Prato (Aug 10)
- Re: Buffer overflow in procmail [suid!] rpc (Aug 10)
- Re: Buffer overflow in procmail [suid!] HD Moore (Aug 14)
- Re: Buffer overflow in procmail [suid!] Michal Zalewski (Aug 14)
- Re: Buffer overflow in procmail [suid!] Michal Zalewski (Aug 10)
- Re: Buffer overflow in procmail [suid!] Martin MOKREJŠ (Aug 14)
- Re: Buffer overflow in procmail [suid!] Aaron Campbell (Aug 10)