[UNIX] ListProc Mailing List ULISTPROC_UMASK Overflow

• Previous message: SecuriTeam: "[NEWS] Multiple Vulnerabilities found in Microsoft .Net Passport Services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 9 May 2003 09:45:16 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  ListProc Mailing List ULISTPROC_UMASK Overflow
------------------------------------------------------------------------

SUMMARY

 <http://sourceforge.net/projects/listproc/> ListProc is a UNIX based
automated information distribution and retrieval system for electronic
mailing lists and file archives. ListProc is intended to be easy to
maintain, support, and use. A local buffer overflow in the product allows
local attackers to gain elevated privileges.

DETAILS

Vulnerable systems:
 * ListProc version 8.2.09 and prior

In the middle of July last year, The Corporation for Research and
Educational Networking (CREN) was notified of a local buffer overflow in
the program known as Catmail. Catmail is a helper application for the
mailing list server ListProc. ListProc is "the UNIX Mailing List Manager
of choice" for a number of companies.

On January 7, 2003 CREN has effectively ceased all operations including
work with ListProc with the following statement: "We recommend that the
Corporation for Research and Educational Networking (CREN) be dissolved
effective as soon as appropriate. The effective date of dissolution will
likely be in the first quarter of 2003. CREN Operations will cease
effective as soon as appropriate."

Prior to the company stopping operations SecNetOps was in contact with
their development staff long enough to see that a fix was created for the
above-mentioned issue. Unfortunately, at the time their staff was not on
hand to thoroughly test the fix. SecNetOps did not have the facilities to
compile the new version of Catmail in efforts to test the fix on our own.
The problem appeared to be caused by a series of strcat() sprintf()
strcpy() and other easily abused function calls however Secure Network
Operations can not confirm that as fact.

Currently ListProc has been moved to SourceForge however, the status of
this problem is not known. SecNetOps has not been in contact with CREN for
a number of months. The current release on SourceForge has not been
updated since March of 2002 so the fix is probably not available to the
public. <http://sourceforge.net/projects/listproc/>
http://sourceforge.net/projects/listproc/ is the current home of ListProc.

Zillion from Safemode.org was able to successfully exploit this problem in
a SecNetOps lab setting.

Example:
gentoo listproc $ head -n 12 List-Proc-catmail.pl
#!/usr/bin/perl
#
# Quick hack for the ListProc catmail overflow found by KF
(dotslash@snosoft.com)
# Written by zillion (zillion@safemode.org) on July 23, 2002
#
# Tested on version 8.2.09
#
# [zillion@ghetto lp8]$ ./expl.pl -f ./catmail
# The new return address: 0xbfffae1c
# sh-2.05# id
# uid=0(root) gid=1214(snosoft) groups=1214(snosoft),520(zillion)

The buffer overflow in ULISTPROC_UMASK may not be the only issues present.
NetSecOps would suggest evaluating a *supported* mailing list solution.

Patch or Workaround:
chmod -s /path/to/catmail

Vendor Status:
Status is unknown. Fix was created but not distributed.

ADDITIONAL INFORMATION

The information has been provided by <mailto:dotslash@globalintersec.com>
KF.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Multiple Vulnerabilities found in Microsoft .Net Passport Services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages if_dc + EN5251 + incorrect MAC address ... 08:00:08:00:08:00 MAC address for all three cards. ... mailing lists for similar problems and found some threads on the issue with ... but it did not fix anything. ... (freebsd-stable) Re: Help with Singer 248 pretty please ... My hopes is to fix and give to a single mom I ... Singer built machines well into the 1960s that could work with either ... There are also several Yahoo mailing lists for people who like to collect ... Singer built machines to last decades of heavy use in those days. ... (rec.crafts.textiles.quilting) Re: kmem_malloc crashes running FreeBSD 5.2.1-RELEASE-p5 ... >> On the web, freebsd mailing lists and bug lists, I have seen existing ... >> evidence of a fix or patch. ... still panics when running the daily scripts. ... How does PAE affect this? ... (freebsd-hackers) Re: unable to use gmirror on supermicro 5015b-mt ... On Wednesday 23 July 2008 23:06:39 Clifton Royston wrote: ... To avoid tempting fate I should say I only tried "the fix" one one box so far. ... hammering your CPU just to get lousy throughput out of it.) ... -- Clifton (suddenly questioning why I'm spending hours on mailing lists ... (freebsd-stable)