linux, säkerhet

100771 2003-05-08 19:02 /5 rader/ KF <dotslash@globalintersec.com>
Importerad: 2003-05-08 19:02 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4821>
Ärende: SRT2003-05-08-1137 - ListProc mailing list ULISTPROC_UMASK overflow
------------------------------------------------------------
http://www.secnetops.biz/research

-KF
(100771) /KF <dotslash@globalintersec.com>/---------
Bilaga (text/plain) i text 100772
100772 2003-05-08 19:02 /98 rader/ KF <dotslash@globalintersec.com>
Bilagans filnamn: "SRT2003-05-08-1137.txt"
Importerad: 2003-05-08 19:02 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4822>
Bilaga (text/plain) till text 100771
Ärende: Bilaga (SRT2003-05-08-1137.txt) till: SRT2003-05-08-1137 - ListProc mailing list ULISTPROC_UMASK overflow
------------------------------------------------------------
Secure Network Operations, Inc. http://www.secnetops.com
Strategic Reconnaissance Team research@secnetops.com
Team Lead Contact kf@secnetops.com

Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.

Quick Summary:
************************************************************************
Advisory Number : SRT2003-05-08-1137
Product : ListProc
Version : <= 8.2.09
Vendor : http://www.cren.net + http://www.listproc.net
Class : local
Criticality : Medium to Low
Operating System(s) : Solaris 2.x, Linux, BSDI, FreeBSD, AIX

High Level Explanation
************************************************************************
High Level Description : suid root catmail ULISTPROC_UMASK overflow
What to do : chmod -s /path/to/catmail

Technical Details
************************************************************************
Proof Of Concept Status : Secure Network Operations does have PoC
code Low Level Description :

In the middle of July last year The Corporation for Research and
Educational Networking (CREN) was notified of a local buffer overflow
in the program known as catmail. Catmail is a helper application for
the mailing list server ListProc. ListProc is "the UNIX Mailing List
Manager of choice" for a number of companies.

On January 7, 2003 CREN has effectively ceased all operations
including work with ListProc with the following statement: "We
recommend that the Corporation for Research and Educational
Networking (CREN) be dissolved effective as soon as appropriate. The
effective date of dissolution will likely be in the first quarter of
2003. CREN Operations will cease effective as soon as appropriate."

Prior to the company stopping operations SecNetOps was in contact
with their development staff long enough to see that a fix was
created for the above mentioned issue. Unfortunately at the time
their staff was not on hand to thoroughly test the fix. SecNetOps
did not have the facilities to compile the new version of catmail in
efforts to test the fix on our own. The problem appeared to be caused
by a series of strcat() sprintf() strcpy() and other easily abused
function calls however we can not confirm that as fact.

Currently ListProc has been moved to SourceForge however the status
of this problem is not known. SecNetOps has not been in contact with
CREN for a number of months. The current release on SourceForge has
not been updated since March of 2002 so the fix is probably not
available to the public. http://sourceforge.net/projects/listproc/ is
the current home of ListProc.

Zillion from Safemode.org was able to successfully exploit this
problem in a SecNetOps lab setting. A functional exploit *may* be
found at http://safemode.org.

gentoo listproc $ head -n 12 List-Proc-catmail.pl
#!/usr/bin/perl
#
# Quick hack for the ListProc catmail overflow found by KF (dotslash@snosoft.com)
# Written by zillion (zillion@safemode.org) on July 23, 2002
#
# Tested on version 8.2.09
#
# [zillion@ghetto lp8]$ ./expl.pl -f ./catmail
# The new return address: 0xbfffae1c
# sh-2.05# id
# uid=0(root) gid=1214(snosoft) groups=1214(snosoft),520(zillion)

The buffer overflow in ULISTPROC_UMASK may not be the only issues
present. We would suggest evaluating a *supported* mailing list
solution.

Patch or Workaround : chmod -s /path/to/catmail
Vendor Status : Status unknown. Fix was created but not distributed.
Bugtraq URL : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.
(100772) /KF <dotslash@globalintersec.com>/(Ombruten)