Date: Wed, 2 Sep 1998 15:44:29 +1200 (NZST) From: Andrew McNaughton <andrew@squiz.co.nz> To: dannyman <dannyman@dannyland.org> Cc: "'freebsd-isp@FreeBSD.ORG'" <freebsd-isp@FreeBSD.ORG> Subject: procmail (was Re: qmail/ezmlm) Message-ID: <Pine.BSF.3.96.980902152834.1035A-100000@aniwa.sky> In-Reply-To: <19980901220129.A2253@enteract.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 1 Sep 1998, dannyman wrote:
> On Wed, Sep 02, 1998 at 12:12:03PM +1200, Andrew McNaughton wrote:
>
> > Has anyone investigated the buffer overflow problems in procmail? I saw a
> > recent message about buffer overflows from the command line which looked
> > to be exploitable. Not suid, so probably not important. It would be a
> > different case if these could be reached by a specially constructed email
> > sent to a machine using procmail as a local delivery agent.
>
> Hadn't heard about that, but I see it's SUID so this concern is extremely
> valid. Our concern is/was that procmail supposedly reads the entire message
> into memory, which implicates performance issues as well.
You're right, it is suid as installed.
$ man procmail
[...]
If running suid root or with root privileges, procmail
will be able to perform as a functionally enhanced, back-
wards compatible mail delivery agent.
[...]
I've removed the suid bit on my machines since I only use it to organise
stuff into mailboxes on the same account.
If it's used as a system wide local delivery agent it needs to be root,
but will be invoked as root so doesn't need suid. I don't see much reason
to run suid/sgid though, particularly while there are buffer overflow
problems.
I haven't yet seen exploit code, but evidence of probable exploitability
was tacked onto stuff about mincom in a BUGTRAQ item on monday. I've
confirmed that the registers get corrupted in my version of procmail
(3.11) under FreeBSD (2.2.5).
--------------- Forwarded message follows ----------------
Date: Mon, 31 Aug 1998 11:13:38 +0200
From: "M.C.Mar" <woloszyn@IT.PL>
Reply-To: "M.C.Mar" <emsi@it.com.pl>
To: BUGTRAQ@netspace.org
Subject: Re: Buffer overflows in Minicom 1.80.1
On Sat, 29 Aug 1998, Eduardo Navarro wrote:
> I have found some buffer overflows in Minicom 1.80.1 which comes setuid
> root with Slackware 3.5. I known that were discussed some overflows in
> other versions of minicom ( no setuid root) but i think it's "new" and
> more dangerous.
>
Hi!
I found that overflows about 2 moths ago and it does not seem to be
exploitable in easy way.
Look at this:
woozle:~> gdb ./minicom
[...]
(gdb) r -t /dev/ttyp`perl -e 'print "A" x 9000'`
[...]
Program received signal SIGSEGV, Segmentation fault.
0x400ae057 in strcpy ()
(gdb) backtrace
#0 0x400ae057 in strcpy ()
#1 0xbfffd638 in ?? ()
#2 0x804981e in free ()
[...]
(gdb) x/i 0x400ae057
0x400ae057 <strcpy+19>: movb %al,(%ecx,%edx,1)
[...]
(gdb) info registers
eax 0x4806dc41 1208409153
[...]
I tryed to play with data to bypass that, but with no success :(
Same with TERM, and HOME.
Another interesting think is that procmail also contains similar bug:
woozle:~> gdb ./procmail
[...]
(gdb) r `perl -e 'print "A" x 5000'`
Starting program: /home/emsi/./procmail `perl -e 'print "A" x 5000'`
[You need to type ^D here!!!]
procmail: Couldn't create "/var/spool/mail/emsi"
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x4008a107 in malloc ()
Interesting, isn't it? But look at this:
(gdb) r `perl -e 'print "A" x 7000'`
[...]
Starting program: /home/emsi/./procmail `perl -e 'print "A" x 7000'`
procmail: Couldn't create "/var/spool/mail/emsi"
Program received signal SIGSEGV, Segmentation fault.
0x4007dfa3 in strncmp ()
But this time, there is something more interesting:
(gdb) x/i 0x4007dfa3
0x4007dfa3 <strncmp+19>: lodsb %ds:(%esi),%al
(gdb) info registers
eax 0x41414141 1094795585
esi 0x41414141 1094795585
ds 0x2b 43
Also malloc looks interesting. As in case of minicom it seems imposible
to me to exploit it, in case of procmail it is much interesting and I
would like to discuss posibility of exploiting it.
Oh, I almost forgot:
woozle:~> ./procmail -v
procmail v3.10 1994/10/31 written and created by Stephen R. van den Berg
berg@pool.informatik.rwth-aachen.de
All has been tested on slackware 3.5.
RegardZ,
Kil3r
--
___________________________________________________________________________
M.C.Mar An NT server can be run by an idiot, and usually is.
emsi@it.pl
"If you can't make it good, make it LOOK good." - Bill Gates
Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupoty.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980902152834.1035A-100000>