Re: Buffer overflow in procmail [suid!]

Tobias von Koch <tvk(_at_)WELTCHARTS(_dot_)DE> writes:

I think I've found a buffer overflow in procmail from Redhat 6.2 (v3.14
1999/11/22, others not tested).

...

First try this:

$ /usr/bin/procmail x=`perl -e "print 1x2053"`
<Ctrl>-D      /* Procmail waits for mail */
procmail: Exceeded LINEBUF

Procmail recognizes that the line is a bit too long. alright.
But if you try something bigger than 2053...

$ /usr/bin/procmail x=`perl -e "print 1x2054"`
<Ctrl>-D
Segmentation fault

You can get root privileges (with some code) now....


Procmail drops its root privileges as soon as it sees the assignment on
the command line and before it performs the copy that overflows, so this
overflow cannot be used to get root privileges.

The unchecked copy was fixed in the beta version of procmail (v3.15pre)
on 2000/06/23.


Philip Guenther
Procmail Maintainer
bug(_at_)procmail(_dot_)org


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread]	Current Thread	[Next in Thread>
Buffer overflow in procmail [suid!], Tobias von Koch Re: Buffer overflow in procmail [suid!], Matt Garretson Re: Buffer overflow in procmail [suid!], Lee Howard Re: Buffer overflow in procmail [suid!], Marek Roszkowski Re: Buffer overflow in procmail [suid!], Martin MOKREJŠ Re: Buffer overflow in procmail [suid!], Philip Guenther <=

Previous by Date:	Re: Buffer overflow in procmail [suid!], Marek Roszkowski
Next by Date:	Re: Procmail and Maildir/, Gjermund Sorseth
Previous by Thread:	Re: Buffer overflow in procmail [suid!], Martin MOKREJŠ
Next by Thread:	Flag, Tag, or Symbol in Headers, SoloCDM
Indexes:	[Date] [Thread] [Top] [All Lists]