From owner-freebsd-isp Tue Sep 1 20:46:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA26377 for freebsd-isp-outgoing; Tue, 1 Sep 1998 20:46:20 -0700 (PDT) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA26348 for ; Tue, 1 Sep 1998 20:46:16 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id PAA01435; Wed, 2 Sep 1998 15:44:30 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Wed, 2 Sep 1998 15:44:29 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: dannyman cc: "'freebsd-isp@FreeBSD.ORG'" Subject: procmail (was Re: qmail/ezmlm) In-Reply-To: <19980901220129.A2253@enteract.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 1 Sep 1998, dannyman wrote: > On Wed, Sep 02, 1998 at 12:12:03PM +1200, Andrew McNaughton wrote: > > > Has anyone investigated the buffer overflow problems in procmail? I saw a > > recent message about buffer overflows from the command line which looked > > to be exploitable. Not suid, so probably not important. It would be a > > different case if these could be reached by a specially constructed email > > sent to a machine using procmail as a local delivery agent. > > Hadn't heard about that, but I see it's SUID so this concern is extremely > valid. Our concern is/was that procmail supposedly reads the entire message > into memory, which implicates performance issues as well. You're right, it is suid as installed. $ man procmail [...] If running suid root or with root privileges, procmail will be able to perform as a functionally enhanced, back- wards compatible mail delivery agent. [...] I've removed the suid bit on my machines since I only use it to organise stuff into mailboxes on the same account. If it's used as a system wide local delivery agent it needs to be root, but will be invoked as root so doesn't need suid. I don't see much reason to run suid/sgid though, particularly while there are buffer overflow problems. I haven't yet seen exploit code, but evidence of probable exploitability was tacked onto stuff about mincom in a BUGTRAQ item on monday. I've confirmed that the registers get corrupted in my version of procmail (3.11) under FreeBSD (2.2.5). --------------- Forwarded message follows ---------------- Date: Mon, 31 Aug 1998 11:13:38 +0200 From: "M.C.Mar" Reply-To: "M.C.Mar" To: BUGTRAQ@netspace.org Subject: Re: Buffer overflows in Minicom 1.80.1 On Sat, 29 Aug 1998, Eduardo Navarro wrote: > I have found some buffer overflows in Minicom 1.80.1 which comes setuid > root with Slackware 3.5. I known that were discussed some overflows in > other versions of minicom ( no setuid root) but i think it's "new" and > more dangerous. > Hi! I found that overflows about 2 moths ago and it does not seem to be exploitable in easy way. Look at this: woozle:~> gdb ./minicom [...] (gdb) r -t /dev/ttyp`perl -e 'print "A" x 9000'` [...] Program received signal SIGSEGV, Segmentation fault. 0x400ae057 in strcpy () (gdb) backtrace #0 0x400ae057 in strcpy () #1 0xbfffd638 in ?? () #2 0x804981e in free () [...] (gdb) x/i 0x400ae057 0x400ae057 : movb %al,(%ecx,%edx,1) [...] (gdb) info registers eax 0x4806dc41 1208409153 [...] I tryed to play with data to bypass that, but with no success :( Same with TERM, and HOME. Another interesting think is that procmail also contains similar bug: woozle:~> gdb ./procmail [...] (gdb) r `perl -e 'print "A" x 5000'` Starting program: /home/emsi/./procmail `perl -e 'print "A" x 5000'` [You need to type ^D here!!!] procmail: Couldn't create "/var/spool/mail/emsi" (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x4008a107 in malloc () Interesting, isn't it? But look at this: (gdb) r `perl -e 'print "A" x 7000'` [...] Starting program: /home/emsi/./procmail `perl -e 'print "A" x 7000'` procmail: Couldn't create "/var/spool/mail/emsi" Program received signal SIGSEGV, Segmentation fault. 0x4007dfa3 in strncmp () But this time, there is something more interesting: (gdb) x/i 0x4007dfa3 0x4007dfa3 : lodsb %ds:(%esi),%al (gdb) info registers eax 0x41414141 1094795585 esi 0x41414141 1094795585 ds 0x2b 43 Also malloc looks interesting. As in case of minicom it seems imposible to me to exploit it, in case of procmail it is much interesting and I would like to discuss posibility of exploiting it. Oh, I almost forgot: woozle:~> ./procmail -v procmail v3.10 1994/10/31 written and created by Stephen R. van den Berg berg@pool.informatik.rwth-aachen.de All has been tested on slackware 3.5. RegardZ, Kil3r -- ___________________________________________________________________________ M.C.Mar An NT server can be run by an idiot, and usually is. emsi@it.pl "If you can't make it good, make it LOOK good." - Bill Gates Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupoty. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message