Twenty Year Anniversary

srt2003-1137.txt

srt2003-1137.txt
Posted May 9, 2003
Authored by Strategic Reconnaissance Team | Site secnetops.com

Secure Network Operations, Inc. Advisory SRT2003-05-08-1137: A problem appears to be created by a series of strcat(), sprintf(), and strcpy() functions in ListProc <= 8.2.09 enabling an attacker to gain root privileges through a buffer overflow.

tags | advisory, overflow, root
MD5 | 06a6e9f0c077a98cf5148ea15cddc1ec

srt2003-1137.txt

Change Mirror Download
Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team research@secnetops.com
Team Lead Contact kf@secnetops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.


Quick Summary:
************************************************************************
Advisory Number : SRT2003-05-08-1137
Product : ListProc
Version : <= 8.2.09
Vendor : http://www.cren.net + http://www.listproc.net
Class : local
Criticality : Medium to Low
Operating System(s) : Solaris 2.x, Linux, BSDI, FreeBSD, AIX


High Level Explanation
************************************************************************
High Level Description : suid root catmail ULISTPROC_UMASK overflow
What to do : chmod -s /path/to/catmail


Technical Details
************************************************************************
Proof Of Concept Status : Secure Network Operations does have PoC code
Low Level Description :

In the middle of July last year The Corporation for Research and
Educational Networking (CREN) was notified of a local buffer overflow in
the program known as catmail. Catmail is a helper application for the
mailing list server ListProc. ListProc is "the UNIX Mailing List Manager
of choice" for a number of companies.

On January 7, 2003 CREN has effectively ceased all operations including
work with ListProc with the following statement: "We recommend that the
Corporation for Research and Educational Networking (CREN) be dissolved
effective as soon as appropriate. The effective date of dissolution will
likely be in the first quarter of 2003. CREN Operations will cease
effective as soon as appropriate."

Prior to the company stopping operations SecNetOps was in contact with
their development staff long enough to see that a fix was created for
the above mentioned issue. Unfortunately at the time their staff was
not on hand to thoroughly test the fix. SecNetOps did not have the
facilities to compile the new version of catmail in efforts to test the
fix on our own. The problem appeared to be caused by a series of strcat()
sprintf() strcpy() and other easily abused function calls however we
can not confirm that as fact.

Currently ListProc has been moved to SourceForge however the status of
this problem is not known. SecNetOps has not been in contact with CREN
for a number of months. The current release on SourceForge has not been
updated since March of 2002 so the fix is probably not available to the
public. http://sourceforge.net/projects/listproc/ is the current home
of ListProc.

Zillion from Safemode.org was able to successfully exploit this problem
in a SecNetOps lab setting. A functional exploit *may* be found at
http://safemode.org.

gentoo listproc $ head -n 12 List-Proc-catmail.pl
#!/usr/bin/perl
#
# Quick hack for the ListProc catmail overflow found by KF (dotslash@snosoft.com)
# Written by zillion (zillion@safemode.org) on July 23, 2002
#
# Tested on version 8.2.09
#
# [zillion@ghetto lp8]$ ./expl.pl -f ./catmail
# The new return address: 0xbfffae1c
# sh-2.05# id
# uid=0(root) gid=1214(snosoft) groups=1214(snosoft),520(zillion)

The buffer overflow in ULISTPROC_UMASK may not be the only issues present.
We would suggest evaluating a *supported* mailing list solution.

Patch or Workaround : chmod -s /path/to/catmail
Vendor Status : Status unknown. Fix was created but not distributed.
Bugtraq URL : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

April 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    5 Files
  • 2
    Apr 2nd
    17 Files
  • 3
    Apr 3rd
    11 Files
  • 4
    Apr 4th
    21 Files
  • 5
    Apr 5th
    17 Files
  • 6
    Apr 6th
    12 Files
  • 7
    Apr 7th
    1 Files
  • 8
    Apr 8th
    6 Files
  • 9
    Apr 9th
    21 Files
  • 10
    Apr 10th
    18 Files
  • 11
    Apr 11th
    42 Files
  • 12
    Apr 12th
    7 Files
  • 13
    Apr 13th
    14 Files
  • 14
    Apr 14th
    1 Files
  • 15
    Apr 15th
    1 Files
  • 16
    Apr 16th
    15 Files
  • 17
    Apr 17th
    20 Files
  • 18
    Apr 18th
    24 Files
  • 19
    Apr 19th
    9 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close