Re: procmail heap overflow

From: KF (dotslashat_private)
Date: Tue Jun 18 2002 - 21:46:29 PDT

Next message: Syzop: "Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server"

Previous message: qobaiashi: "Re: Apache Worm?"
In reply to: SpaceWalker: "Re: procmail heap overflow"
Next in thread: Ryan W. Maple: "Re: procmail heap overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I believe we (one of our researchers "dvdman") were messing with this a 
few months back ... we never finished up out research ... heres what I 
found in an old strace log...

-KF


malloc(86)                                        = 0x0805e0c0
memmove(0x0805e0c4, 0x0805c9c8, 82, 1, 4096)      = 0x0805e0c4
strchr("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., '=') = "=a"
setregid(506, -1, 0xbfffd355, 0x08056314, 0xbfffd355) = 0
setreuid(506, -1, 0xbfffd355, 0x08056314, 0xbfffd355) = 0
setuid(506)                                       = 0
setegid(506, -1, 0xbfffd355, 0x08056314, 0xbfffd355) = 0
strncpy(0x0805c9c8, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 10000) = 
0x0805c9c8
strlen(0x080577b1, 0x40192620, 0xbfffd048, 0x400de1de, 0) = 8
malloc(81)                                        = 0x0805e120
memmove(0x0805e120, 0x080577b1, 8, 0x400de1de, 0) = 0x0805e120
strlen(0x08057d68, 0x080577b1, 8, 0x400de1de, 0)  = 2
memmove(0x0805e128, 0x08057d68, 2, 0x400de1de, 0) = 0x0805e128
strlen(0x08057811, 0x08057d68, 2, 0x400de1de, 0)  = 17
memmove(0x0805e12a, 0x08057811, 17, 0x400de1de, 0) = 0x0805e12a
write(2, "procmail: Exceeded LINEBUF\n", 27)      = 27
strchr("PROCMAIL_OVERFLOW=yes", '=')              = "=yes"
strncmp("PROCMAIL_OVERFLOW=yes", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 
17) = 15strncmp("PROCMAIL_OVERFLOW=yes", 
"EOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOF"..., 
17 <unfinished ...>
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

-KF


SpaceWalker wrote:

>$ procmail -v
>procmail v3.15.1 2001/01/08
>$ procmail `perl -e '{print "A"x10240}'`=A
>wait indefinitively
>Doesn't seem to segfault on my system, I'm running base slackware 8 on x86.
>
>On Wed, 19 Jun 2002 02:38:08 +0200
>flatline <flatlineat_private> wrote:
>
>>hi,
>>
>>i found a heap overflow in procmail (up until latest) some time ago.
>>
>>flatline@intra:/usr/bin$ ls -la procmail
>>-rwsr-xr-x    1 root     mail        64344 Jun  3  2001 procmail*
>>flatline@intra:/usr/bin$ ./procmail `perl -e '{print "A"x10240}'`=A
>>procmail: Exceeded LINEBUF
>>Segmentation fault
>>flatline@intra:/usr/bin$
>>
>>at first it seemed to properly drop privs before segging, but not too long 
>>ago i managed to make it crash while it still had euid 0.
>>segfaults have been seen on red hat/slackware linux and bsd variants. 
>>successful exploitation has not been verified.
>>
>>/ flatline
>>
>>greets fly out to fc, zeno, xistence, thewolf, #gold, #!xpc and everyone 
>>who felt left out.
>>
>
>

Next message: Syzop: "Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server"
Previous message: qobaiashi: "Re: Apache Worm?"
In reply to: SpaceWalker: "Re: procmail heap overflow"
Next in thread: Ryan W. Maple: "Re: procmail heap overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 11:16:31 PDT