Vulnerability Development: Buffer overflow in procmail [suid!]

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Buffer overflow in procmail [suid!]

From: Tobias von Koch <tvk () WELTCHARTS DE>
Date: Thu, 10 Aug 2000 15:52:59 +0200

hi,

I think I've found a buffer overflow in procmail from Redhat 6.2 (v3.14
1999/11/22, others not tested).

Procmail is installed set-uid root and set-gid mail by default:
-rwsr-sr-x    1 root     mail        76432 Feb  7  2000 /usr/bin/procmail

First try this:

$ /usr/bin/procmail x=`perl -e "print 1x2053"`
 <Ctrl>-D      /* Procmail waits for mail */
procmail: Exceeded LINEBUF

Procmail recognizes that the line is a bit too long. alright.
But if you try something bigger than 2053...

$ /usr/bin/procmail x=`perl -e "print 1x2054"`
 <Ctrl>-D
Segmentation fault

You can get root privileges (with some code) now....

tobias

By Date By Thread

Current thread:

Buffer overflow in procmail [suid!] Tobias von Koch (Aug 10)
- Re: Buffer overflow in procmail [suid!] Aaron Campbell (Aug 10)
  - Re: Buffer overflow in procmail [suid!] Adam Prato (Aug 10)
- Re: Buffer overflow in procmail [suid!] rpc (Aug 10)
  - Re: Buffer overflow in procmail [suid!] HD Moore (Aug 14)
  - Re: Buffer overflow in procmail [suid!] Michal Zalewski (Aug 14)