Re: Buffer overflow in procmail [suid!]

[Michal Zalewski <lcamtuf () DIONE IDS PL>]

On Thu, 10 Aug 2000, rpc wrote:

> tobias,
>
> on debian linux (2.2), procmail does not segfault.
>
> also, on redhat 6.1, and 5.0 the user input does not overwrite any
> registers.
>
> for any length of input, the result in gdb is always:
>
> Starting program: /usr/bin/procmail x=`perl -e "print 'A'x8000;"`

There are two different possibilities (aka crash-points). One occours with
x=blahblah, and second occours in blahblah=x (both at different buffer
sizes). Both aren't exploitable in easy way (we spend some time on it
already), but probably it's possible. Anyway, you won't gain root
privledges for sure - only, in some cases, you'll be able to gain saved
uid mail.

> without eip, how did you gain root privs? is this not the case on rh
> 6.2?

First of all, no root privledges. Second, it's possible to take control
over program without overwriting ret addr.

_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=