Found this bug alert on the bugtraq mailing list. Thought someone may be
interested.
---------- Forwarded message ----------
Date: Thu, 23 Dec 1999 11:55:52 +0100
From: Michal Zalewski <lcamtuf(_at_)IDS(_dot_)PL>
To: BUGTRAQ(_at_)SECURITYFOCUS(_dot_)COM
Subject: procmail / Sendmail - five bugs
Hope you won't be angry for cross-post?:) This mail discusses five
interesting vulnerabilities in Berkeley Sendmail and 'procmail' utility, I
think it's good to let you know - but don't panic - at least for now, we
are too lazy and we have no idea if any of these holes can be exploited -
that's why I'm sending it to VULN-DEV as well, to give some ideas to
young, brilliant hackers around :)
1. procmail
Months ago, we found a problem with LINEBUF variable defined in
.procmailrc files. By setting arbitrary values of it - eg. negative or
extremely large ones - we're able to at least overwrite memory locations
with zero value (used to properly terminate string buffer, unfortunately
there's no range checking on signed int arithmetic in C ;). Actually, it
splits in two vulnerabilities:
a) On some glibc 2.0 machines (eg. RedHat), malloc(negative_integer) won't
result in EINVAL, but with valid pointer, for which malloc_usable_size()
returns size of 12 bytes. Heap overflows possible? Hmm, at least SEGVs in
procmail :)
b) With glibc 2.0/2.1, there's also some way to overwrite mem with '\0'
due to lack of range checking and signed<->unsigned integer conversion.
Nasty memory hacking required to exploit it.