Vulnerability Development mailing list archives

bug in procmail (ver 3.14 maybe others?)

From: Ehud Tenenbaum <analyzer () 2xss com>
Date: Sat, 23 Feb 2002 16:10:00 +0200

Hey,

2xs Security team discovered new kind of bug in procmail program.

root@Analyzer:~# ls -la /usr/bin/procmail
-rwsr-sr-x   1 root     mail        73812 Jun  9  2000
/usr/bin/procmail*
root@Analyzer:~# 

We have made few security checks on procmail and here is what we found,
please read carefully and follow the instructions in order to
re-produce:

1: open 2 terminals with regular users permission.
2: on one of them run gdb /usr/bin/procmail
3: after you run the gdb type:
   r -f `perl -e' print "A" x 2000'` -p `perl -e' print "A" x 2000'`
4: goto the other terminal and type ps -xa search for the procmail
   processes and type kill -14 ## of the process which is run by itself
   meaning procmail -f AAAAAAA.... and not the one with the gdb infront
   of it
5: you will see on your other terminal procmail segfault. here is what 
   we got:
Program received signal SIGSEGV, Segmentation fault.
0x8051fd6 in strcpy () at ../sysdeps/generic/strcpy.c:30
30      ../sysdeps/generic/strcpy.c: No such file or directory.
(gdb)

The weird thing is that it segfault only with sigalrm (signal 14)
we yet understand why exactly its happening, it could be a problem
with the libaries handling the sig alrm.

We have attached a temparary patch, author been notified (srb () cuci nl)
Thu, 21 Feb 2002 02:12:10 +0200 but no response.


This bug was tested on redhat 6.2 and slackware 7.1 and found by
2xs Security team,
Ehud Tenenbaum <analyzer () 2xss com> CTO & Project manager.
Izik Kotler <izik () 2xss com> Senior programmer.
Mixter <mixter () 2xss com> Senior programmer.
acz QA tester.

--- procmail-3.14/src/pipes.c.old       Thu Feb 21 01:11:42 2002
+++ procmail-3.14/src/pipes.c   Thu Feb 21 01:11:44 2002
@@ -41,7 +41,7 @@
 void ftimeout P((void))
 { alarm(0);alrmtime=0;toutflag=1;nlog("Timeout, ");     /* careful,
killing */
   elog(pidchild>0&&!kill(pidchild,SIGTERM)?"terminating":"was waiting
for");
-  logqnl(lastexec);signal(SIGALRM,(void(*)())ftimeout);
+  if (lastexec !=
NULL)logqnl(lastexec);signal(SIGALRM,(void(*)())ftimeout);
 }

 void resettmout P((void))



-- 
------------
Ehud Tenenbaum
C.T.O & Project Manager 
2xs LTD. 
Tel: 972-9-9519980
Fax: 972-9-9519982
E-Mail: ehud () 2xss com
------------ 
                                 Have A Safe Day

Current thread:

bug in procmail (ver 3.14 maybe others?) Ehud Tenenbaum (Feb 23)
- <Possible follow-ups>
- re: bug in procmail (ver 3.14 maybe others?) Philip Guenther (Feb 24)
  - Message not available
    - Re: bug in procmail (ver 3.14 maybe others?) Philip Guenther (Feb 24)
    - Message not available
    - Re: bug in procmail (ver 3.14 maybe others?) Philip Guenther (Feb 25)
  - Re: bug in procmail (ver 3.14 maybe others?) Valdis . Kletnieks (Feb 25)