procmail heap overflow

From: flatline (flatlineat_private)
Date: Tue Jun 18 2002 - 17:38:08 PDT

  • Next message: Replugge[ROD]: "Re: Apache Worm?"

    hi,
    
    i found a heap overflow in procmail (up until latest) some time ago.
    
    flatline@intra:/usr/bin$ ls -la procmail
    -rwsr-xr-x    1 root     mail        64344 Jun  3  2001 procmail*
    flatline@intra:/usr/bin$ ./procmail `perl -e '{print "A"x10240}'`=A
    procmail: Exceeded LINEBUF
    Segmentation fault
    flatline@intra:/usr/bin$
    
    at first it seemed to properly drop privs before segging, but not too long 
    ago i managed to make it crash while it still had euid 0.
    segfaults have been seen on red hat/slackware linux and bsd variants. 
    successful exploitation has not been verified.
    
    / flatline
    
    greets fly out to fc, zeno, xistence, thewolf, #gold, #!xpc and everyone 
    who felt left out.
    



    This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 00:47:25 PDT