bug in procmail (ver 3.14 maybe others?)
From: Ehud Tenenbaum (analyzer@2xss.com)Date: 02/23/02
- Previous message: Crist J. Clark: "Re: [Fwd: Help needed with bufferoverflow in cvs]"
- Next in thread: Philip Guenther: "re: bug in procmail (ver 3.14 maybe others?)"
- Reply: Philip Guenther: "re: bug in procmail (ver 3.14 maybe others?)"
- Reply: Philip Guenther: "Re: bug in procmail (ver 3.14 maybe others?)"
- Reply: Philip Guenther: "Re: bug in procmail (ver 3.14 maybe others?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 23 Feb 2002 16:10:00 +0200 From: Ehud Tenenbaum <analyzer@2xss.com> To: vuln-dev@securityfocus.com
Hey,
2xs Security team discovered new kind of bug in procmail program.
root@Analyzer:~# ls -la /usr/bin/procmail
-rwsr-sr-x 1 root mail 73812 Jun 9 2000
/usr/bin/procmail*
root@Analyzer:~#
We have made few security checks on procmail and here is what we found,
please read carefully and follow the instructions in order to
re-produce:
1: open 2 terminals with regular users permission.
2: on one of them run gdb /usr/bin/procmail
3: after you run the gdb type:
r -f `perl -e' print "A" x 2000'` -p `perl -e' print "A" x 2000'`
4: goto the other terminal and type ps -xa search for the procmail
processes and type kill -14 ## of the process which is run by itself
meaning procmail -f AAAAAAA.... and not the one with the gdb infront
of it
5: you will see on your other terminal procmail segfault. here is what
we got:
Program received signal SIGSEGV, Segmentation fault.
0x8051fd6 in strcpy () at ../sysdeps/generic/strcpy.c:30
30 ../sysdeps/generic/strcpy.c: No such file or directory.
(gdb)
The weird thing is that it segfault only with sigalrm (signal 14)
we yet understand why exactly its happening, it could be a problem
with the libaries handling the sig alrm.
We have attached a temparary patch, author been notified (srb@cuci.nl)
Thu, 21 Feb 2002 02:12:10 +0200 but no response.
This bug was tested on redhat 6.2 and slackware 7.1 and found by
2xs Security team,
Ehud Tenenbaum <analyzer@2xss.com> CTO & Project manager.
Izik Kotler <izik@2xss.com> Senior programmer.
Mixter <mixter@2xss.com> Senior programmer.
acz QA tester.
--- procmail-3.14/src/pipes.c.old Thu Feb 21 01:11:42 2002
+++ procmail-3.14/src/pipes.c Thu Feb 21 01:11:44 2002
@@ -41,7 +41,7 @@
void ftimeout P((void))
{ alarm(0);alrmtime=0;toutflag=1;nlog("Timeout, "); /* careful,
killing */
elog(pidchild>0&&!kill(pidchild,SIGTERM)?"terminating":"was waiting
for");
- logqnl(lastexec);signal(SIGALRM,(void(*)())ftimeout);
+ if (lastexec !=
NULL)logqnl(lastexec);signal(SIGALRM,(void(*)())ftimeout);
}
void resettmout P((void))
-- ------------ Ehud Tenenbaum C.T.O & Project Manager 2xs LTD. Tel: 972-9-9519980 Fax: 972-9-9519982 E-Mail: ehud@2xss.com ------------ Have A Safe Day
- Previous message: Crist J. Clark: "Re: [Fwd: Help needed with bufferoverflow in cvs]"
- Next in thread: Philip Guenther: "re: bug in procmail (ver 3.14 maybe others?)"
- Reply: Philip Guenther: "re: bug in procmail (ver 3.14 maybe others?)"
- Reply: Philip Guenther: "Re: bug in procmail (ver 3.14 maybe others?)"
- Reply: Philip Guenther: "Re: bug in procmail (ver 3.14 maybe others?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
