|
Vulnerability Development
mailing list archives
Re: Buffer overflow in procmail [suid!]
From: rpc <rpc () INETARENA COM>
Date: Thu, 10 Aug 2000 12:12:28 -0700
tobias,
on debian linux (2.2), procmail does not segfault.
also, on redhat 6.1, and 5.0 the user input does not overwrite any
registers.
for any length of input, the result in gdb is always:
Starting program: /usr/bin/procmail x=`perl -e "print 'A'x8000;"`
Program received signal SIGSEGV, Segmentation fault.
strcpy (dest=0x8057f40 'A' <repeats 200 times>...,
src=0x805773a 'A' <repeats 200 times>...) at
../sysdeps/generic/strcpy.c:35
../sysdeps/generic/strcpy.c:35: No such file or directory.
(gdb)
without eip, how did you gain root privs? is this not the case on rh 6.2?
--rpc <h () ckz org>
On Thu, 10 Aug 2000, Tobias von Koch wrote:
hi,
I think I've found a buffer overflow in procmail from Redhat 6.2 (v3.14
1999/11/22, others not tested).
Procmail is installed set-uid root and set-gid mail by default:
-rwsr-sr-x 1 root mail 76432 Feb 7 2000 /usr/bin/procmail
First try this:
$ /usr/bin/procmail x=`perl -e "print 1x2053"`
<Ctrl>-D /* Procmail waits for mail */
procmail: Exceeded LINEBUF
Procmail recognizes that the line is a bit too long. alright.
But if you try something bigger than 2053...
$ /usr/bin/procmail x=`perl -e "print 1x2054"`
<Ctrl>-D
Segmentation fault
You can get root privileges (with some code) now....
tobias
 By Date 
By Thread
Current thread:
|
Intro
