procmail heap overflow

• Previous message: Doesnt Matter: "Apache Worm?"
• Next in thread: SpaceWalker: "Re: procmail heap overflow"
• Reply: SpaceWalker: "Re: procmail heap overflow"
• Reply: Ryan W. Maple: "Re: procmail heap overflow"
• Reply: Przemyslaw Frasunek: "Re: procmail heap overflow"
• Reply: kam: "Re: procmail heap overflow"
• Reply: Peter Mueller: "RE: procmail heap overflow"
• Reply: Wodahs Latigid: "RE: procmail heap overflow"
• Reply: Skot: "Re: procmail heap overflow"
• Reply: Peter Mueller: "RE: procmail heap overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi,

i found a heap overflow in procmail (up until latest) some time ago.

flatline@intra:/usr/bin$ ls -la procmail
-rwsr-xr-x    1 root     mail        64344 Jun  3  2001 procmail*
flatline@intra:/usr/bin$ ./procmail `perl -e '{print "A"x10240}'`=A
procmail: Exceeded LINEBUF
Segmentation fault
flatline@intra:/usr/bin$

at first it seemed to properly drop privs before segging, but not too long 
ago i managed to make it crash while it still had euid 0.
segfaults have been seen on red hat/slackware linux and bsd variants. 
successful exploitation has not been verified.

/ flatline

greets fly out to fc, zeno, xistence, thewolf, #gold, #!xpc and everyone 
who felt left out.

• Next message: Replugge[ROD]: "Re: Apache Worm?"
• Previous message: Doesnt Matter: "Apache Worm?"
• Next in thread: SpaceWalker: "Re: procmail heap overflow"
• Reply: SpaceWalker: "Re: procmail heap overflow"
• Reply: Ryan W. Maple: "Re: procmail heap overflow"
• Reply: Przemyslaw Frasunek: "Re: procmail heap overflow"
• Reply: kam: "Re: procmail heap overflow"
• Reply: Peter Mueller: "RE: procmail heap overflow"
• Reply: Wodahs Latigid: "RE: procmail heap overflow"
• Reply: Skot: "Re: procmail heap overflow"
• Reply: Peter Mueller: "RE: procmail heap overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 00:47:25 PDT