[VulnWatch] SRT2003-05-08-1137 - ListProc mailing list ULISTPROC_UMASK overflow

From: KF (dotslash_at_globalintersec.com)
Date: 05/08/03

  • Next message: bob: "[VulnWatch] Firebird local root compromise" 
    Date: Thu, 08 May 2003 12:15:41 -0500
To: bugtraq@securityfocus.com

    http://www.secnetops.biz/research

    -KF

    Secure Network Operations, Inc. http://www.secnetops.com
    Strategic Reconnaissance Team research@secnetops.com
    Team Lead Contact kf@secnetops.com

    Our Mission:
    ************************************************************************
    Secure Network Operations offers expertise in Networking, Intrusion
    Detection Systems (IDS), Software Security Validation, and
    Corporate/Private Network Security. Our mission is to facilitate a
    secure and reliable Internet and inter-enterprise communications
    infrastructure through the products and services we offer.

    Quick Summary:
    ************************************************************************
    Advisory Number : SRT2003-05-08-1137
    Product : ListProc
    Version : <= 8.2.09
    Vendor : http://www.cren.net + http://www.listproc.net
    Class : local
    Criticality : Medium to Low
    Operating System(s) : Solaris 2.x, Linux, BSDI, FreeBSD, AIX

    High Level Explanation
    ************************************************************************
    High Level Description : suid root catmail ULISTPROC_UMASK overflow
    What to do : chmod -s /path/to/catmail

    Technical Details
    ************************************************************************
    Proof Of Concept Status : Secure Network Operations does have PoC code
    Low Level Description :

    In the middle of July last year The Corporation for Research and
    Educational Networking (CREN) was notified of a local buffer overflow in
    the program known as catmail. Catmail is a helper application for the
    mailing list server ListProc. ListProc is "the UNIX Mailing List Manager
    of choice" for a number of companies.

    On January 7, 2003 CREN has effectively ceased all operations including
    work with ListProc with the following statement: "We recommend that the
    Corporation for Research and Educational Networking (CREN) be dissolved
    effective as soon as appropriate. The effective date of dissolution will
    likely be in the first quarter of 2003. CREN Operations will cease
    effective as soon as appropriate."

    Prior to the company stopping operations SecNetOps was in contact with
    their development staff long enough to see that a fix was created for
    the above mentioned issue. Unfortunately at the time their staff was
    not on hand to thoroughly test the fix. SecNetOps did not have the
    facilities to compile the new version of catmail in efforts to test the
    fix on our own. The problem appeared to be caused by a series of strcat()
    sprintf() strcpy() and other easily abused function calls however we
    can not confirm that as fact.

    Currently ListProc has been moved to SourceForge however the status of
    this problem is not known. SecNetOps has not been in contact with CREN
    for a number of months. The current release on SourceForge has not been
    updated since March of 2002 so the fix is probably not available to the
    public. http://sourceforge.net/projects/listproc/ is the current home
    of ListProc.

    Zillion from Safemode.org was able to successfully exploit this problem
    in a SecNetOps lab setting. A functional exploit *may* be found at
    http://safemode.org.

    gentoo listproc $ head -n 12 List-Proc-catmail.pl
    #!/usr/bin/perl
    #
    # Quick hack for the ListProc catmail overflow found by KF (dotslash@snosoft.com)
    # Written by zillion (zillion@safemode.org) on July 23, 2002
    #
    # Tested on version 8.2.09
    #
    # [zillion@ghetto lp8]$ ./expl.pl -f ./catmail
    # The new return address: 0xbfffae1c
    # sh-2.05# id
    # uid=0(root) gid=1214(snosoft) groups=1214(snosoft),520(zillion)

    The buffer overflow in ULISTPROC_UMASK may not be the only issues present.
    We would suggest evaluating a *supported* mailing list solution.

    Patch or Workaround : chmod -s /path/to/catmail
    Vendor Status : Status unknown. Fix was created but not distributed.
    Bugtraq URL : to be assigned

    ------------------------------------------------------------------------
    This advisory was released by Secure Network Operations,Inc. as a matter
    of notification to help administrators protect their networks against
    the described vulnerability. Exploit source code is no longer released
    in our advisories. Contact research@secnetops.com for information on how
    to obtain exploit information.

  • Next message: bob: "[VulnWatch] Firebird local root compromise"

    Relevant Pages