Vigil@nce - procmail: buffer overflow of getlline
December 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can edit his /.procmailrc file, to generate a
buffer overflow in the getlline() function of procmail, in order
to trigger a denial of service, and possibly to execute code.
Impacted products: Unix (platform)
Severity: 2/4
Creation date: 04/12/2014
DESCRIPTION OF THE VULNERABILITY
The procmail program analyzes user’s /.procmailrc file, in order
to detect how to process his emails.
The backslash (\) character located at the end of a line indicates
procmail that the rule is on several lines. However, if the size
of reassembled data is greater than the size of the storage array
(2048 bytes), an overflow of one byte occurs.
This vulnerability impacts systems where procmail is installed
suid root, or when the user can edit his /.procmailrc file but
does not have a shell access.
A local attacker can therefore edit his /.procmailrc file, to
generate a buffer overflow in the getlline() function of procmail,
in order to trigger a denial of service, and possibly to execute
code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/procmail-buffer-overflow-of-getlline-15740