bug in procmail (ver 3.14 maybe others?)

From: Ehud Tenenbaum (analyzerat_private)
Date: Sat Feb 23 2002 - 06:10:00 PST

Next message: Onie Camara: "bypassing attachments"

Previous message: Alex Lambert: "Re: mIRC backdoors - an advanced overview"
Next in thread: Philip Guenther: "re: bug in procmail (ver 3.14 maybe others?)"
Reply: Philip Guenther: "re: bug in procmail (ver 3.14 maybe others?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey,

2xs Security team discovered new kind of bug in procmail program.

root@Analyzer:~# ls -la /usr/bin/procmail
-rwsr-sr-x   1 root     mail        73812 Jun  9  2000
/usr/bin/procmail*
root@Analyzer:~# 

We have made few security checks on procmail and here is what we found,
please read carefully and follow the instructions in order to
re-produce:

1: open 2 terminals with regular users permission.
2: on one of them run gdb /usr/bin/procmail
3: after you run the gdb type:
   r -f `perl -e' print "A" x 2000'` -p `perl -e' print "A" x 2000'`
4: goto the other terminal and type ps -xa search for the procmail
   processes and type kill -14 ## of the process which is run by itself
   meaning procmail -f AAAAAAA.... and not the one with the gdb infront
   of it
5: you will see on your other terminal procmail segfault. here is what 
   we got:
Program received signal SIGSEGV, Segmentation fault.
0x8051fd6 in strcpy () at ../sysdeps/generic/strcpy.c:30
30      ../sysdeps/generic/strcpy.c: No such file or directory.
(gdb)

The weird thing is that it segfault only with sigalrm (signal 14)
we yet understand why exactly its happening, it could be a problem
with the libaries handling the sig alrm.

We have attached a temparary patch, author been notified (srbat_private)
Thu, 21 Feb 2002 02:12:10 +0200 but no response.


This bug was tested on redhat 6.2 and slackware 7.1 and found by
2xs Security team,
Ehud Tenenbaum <analyzerat_private> CTO & Project manager.
Izik Kotler <izikat_private> Senior programmer.
Mixter <mixterat_private> Senior programmer.
acz QA tester.

--- procmail-3.14/src/pipes.c.old       Thu Feb 21 01:11:42 2002
+++ procmail-3.14/src/pipes.c   Thu Feb 21 01:11:44 2002
@@ -41,7 +41,7 @@
 void ftimeout P((void))
 { alarm(0);alrmtime=0;toutflag=1;nlog("Timeout, ");     /* careful,
killing */
   elog(pidchild>0&&!kill(pidchild,SIGTERM)?"terminating":"was waiting
for");
-  logqnl(lastexec);signal(SIGALRM,(void(*)())ftimeout);
+  if (lastexec !=
NULL)logqnl(lastexec);signal(SIGALRM,(void(*)())ftimeout);
 }

 void resettmout P((void))



-- 
------------
Ehud Tenenbaum
C.T.O & Project Manager 
2xs LTD. 
Tel: 972-9-9519980
Fax: 972-9-9519982
E-Mail: ehudat_private
------------ 
                                 Have A Safe Day

Next message: Onie Camara: "bypassing attachments"
Previous message: Alex Lambert: "Re: mIRC backdoors - an advanced overview"
Next in thread: Philip Guenther: "re: bug in procmail (ver 3.14 maybe others?)"
Reply: Philip Guenther: "re: bug in procmail (ver 3.14 maybe others?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Feb 23 2002 - 09:12:04 PST