"Felix Tilley" <ftilley(_at_)azstarnet(_dot_)com> writes:
I got this from a former admin at Goodnet.com. I must point out that
Goodnet has since re-installed Procmail v3.10.
...
printf("helo\n");
printf("mail from: %s%s\n", padding, large_string);
}
Ah, yes, this one.
1) The included program appears to try to overflow the envelope sender
buffer in sendmail, not procmail. They should check their version
of sendmail and upgrade to the latest.
2) The fact that procmail is setuid root doesn't matter in this case,
given that sendmail will invoke it as root anyway (if it's set to
be the local mailer in the sendmail.cf). Heck, if you don't use
mailfilter mode with rcfiles under /etc/procmailrcs/, then you can
probably remove the setuid bit from procmail, as for most mail setups,
that's the only time it needs it.
3) procmail version 3.10 is *less* safe: it allows local users to elicit
buffer overflows in their rcfiles, and if they extract information from
e-mail messages and then expand it in their rcfile, they may be subject
to remote exploits. Note that procmail drops root privileges before
reading a user's .procmailrc file, so they can't get root that way.
If procmail is setgid mail, or the mail spool directory has the setgid
bit set, then they could theoretically get access to that group.
Going back to version 3.10 is a Bad Idea.
3) procmail doesn't have, and to be best of my knowledge never has had,
a buffer overflow in the processing of the -f argument, which is
where the overflow would have to be for the above program to have
any effect on procmail (assuming the bogus data got all the way
through sendmail (ha!)).
If you don't believe the latter, try it:
perl -e 'exec "procmail", "-f", ("A"x100000), "-d", "your-login"' < message
Note that procmail doesn't coredump when you try the above, and that
your mailspool now contains a message with a huge "From " line. Beware,
such a "From " line may crash broken mail clients!
So, I think the entire discussion of procmail in the message describing
the exploit is a red herring to make an old sendmail exploit sound
more exciting.
If you think you've found a buffer overflow in procmail, please
e-mail any and all information to either bug(_at_)procmail(_dot_)org or
procmail-dev(_at_)procmail(_dot_)org, the latter being the development mailing
list.
Philip Guenther