Vulnerability Development: Re: Buffer overflow in procmail [suid!]

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: Buffer overflow in procmail [suid!]

From: Aaron Campbell <aaron () CS DAL CA>
Date: Thu, 10 Aug 2000 12:19:25 -0300

On Thu, 10 Aug 2000, Tobias von Koch wrote:

I think I've found a buffer overflow in procmail from Redhat 6.2 (v3.14
1999/11/22, others not tested).


[snip]

$ /usr/bin/procmail x=`perl -e "print 1x2054"`
 <Ctrl>-D
Segmentation fault

You can get root privileges (with some code) now....


The overflow occurs at the following call in asenvcpy() (in misc.c):

        strcpy((char*)(sgetcp=buf2),++src);

Notice right before that is a call to setids(). So procmail drops its
privileges before the overflow occurs.

But yikes, what a mess of code to read. Why is the source like this? Is it
optimized for speed of compilation or something?

  .
 :  Aaron Campbell <aaron () cs dal ca> - [ http://www.biodome.org/~fx ]
  `-------------------------------------------------------------------

By Date By Thread

Current thread:

Buffer overflow in procmail [suid!] Tobias von Koch (Aug 10)
- Re: Buffer overflow in procmail [suid!] Aaron Campbell (Aug 10)
  - Re: Buffer overflow in procmail [suid!] Adam Prato (Aug 10)
- Re: Buffer overflow in procmail [suid!] rpc (Aug 10)
  - Re: Buffer overflow in procmail [suid!] HD Moore (Aug 14)
  - Re: Buffer overflow in procmail [suid!] Michal Zalewski (Aug 14)
- Re: Buffer overflow in procmail [suid!] Michal Zalewski (Aug 10)