|
Vulnerability Development
mailing list archives
Re: Buffer overflow in procmail [suid!]
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Fri, 11 Aug 2000 11:03:51 +0200
On Thu, 10 Aug 2000, rpc wrote:
tobias,
on debian linux (2.2), procmail does not segfault.
also, on redhat 6.1, and 5.0 the user input does not overwrite any
registers.
for any length of input, the result in gdb is always:
Starting program: /usr/bin/procmail x=`perl -e "print 'A'x8000;"`
There are two different possibilities (aka crash-points). One occours with
x=blahblah, and second occours in blahblah=x (both at different buffer
sizes). Both aren't exploitable in easy way (we spend some time on it
already), but probably it's possible. Anyway, you won't gain root
privledges for sure - only, in some cases, you'll be able to gain saved
uid mail.
without eip, how did you gain root privs? is this not the case on rh
6.2?
First of all, no root privledges. Second, it's possible to take control
over program without overwriting ret addr.
_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
 By Date 
By Thread
Current thread:
| 
Intro
