Home page logo

bugtraq logo Bugtraq mailing list archives

SRT2003-05-08-1137 - ListProc mailing list ULISTPROC_UMASK overflow
From: KF <dotslash () globalintersec com>
Date: Thu, 08 May 2003 12:15:41 -0500



Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team               research () secnetops com
Team Lead Contact                                 kf () secnetops com

Our Mission:
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 

Quick Summary:
Advisory Number         : SRT2003-05-08-1137
Product                 : ListProc
Version                 : <= 8.2.09
Vendor                  : http://www.cren.net + http://www.listproc.net
Class                   : local
Criticality             : Medium to Low
Operating System(s)     : Solaris 2.x, Linux, BSDI, FreeBSD, AIX

High Level Explanation
High Level Description  : suid root catmail ULISTPROC_UMASK overflow
What to do              : chmod -s /path/to/catmail

Technical Details
Proof Of Concept Status : Secure Network Operations does have PoC code
Low Level Description   : 

In the middle of July last year The Corporation for Research and 
Educational Networking (CREN) was notified of a local buffer overflow in 
the program known as catmail. Catmail is a helper application for the 
mailing list server ListProc. ListProc is "the UNIX Mailing List Manager 
of choice" for a number of companies. 

On January 7, 2003 CREN has effectively ceased all operations including 
work with ListProc with the following statement: "We recommend that the 
Corporation for Research and Educational Networking (CREN) be dissolved 
effective as soon as appropriate. The effective date of dissolution will 
likely be in the first quarter of 2003. CREN Operations will cease
effective as soon as appropriate."

Prior to the company stopping operations SecNetOps was in contact with 
their development staff long enough to see that a fix was created for 
the above mentioned issue. Unfortunately at the time their staff was 
not on hand to thoroughly test the fix. SecNetOps did not have the 
facilities to compile the new version of catmail in efforts to test the
fix on our own. The problem appeared to be caused by a series of strcat() 
sprintf() strcpy() and other easily abused function calls however we 
can not confirm that as fact. 

Currently ListProc has been moved to SourceForge however the status of 
this problem is not known. SecNetOps has not been in contact with CREN 
for a number of months. The current release on SourceForge has not been 
updated since March of 2002 so the fix is probably not available to the
public. http://sourceforge.net/projects/listproc/ is the current home 
of ListProc. 

Zillion from Safemode.org was able to successfully exploit this problem
in a SecNetOps lab setting. A functional exploit *may* be found at 

gentoo listproc $ head -n 12  List-Proc-catmail.pl
# Quick hack for the ListProc catmail overflow found by KF (dotslash () snosoft com)
# Written by zillion (zillion () safemode org) on July 23, 2002
# Tested on version 8.2.09
# [zillion () ghetto lp8]$ ./expl.pl -f ./catmail
# The new return address: 0xbfffae1c
# sh-2.05# id
# uid=0(root) gid=1214(snosoft) groups=1214(snosoft),520(zillion)

The buffer overflow in ULISTPROC_UMASK may not be the only issues present. 
We would suggest evaluating a *supported* mailing list solution. 

Patch or Workaround     : chmod -s /path/to/catmail
Vendor Status   : Status unknown. Fix was created but not distributed. 
Bugtraq URL     : to be assigned 

This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research () secnetops com for information on how
to obtain exploit information.

  By Date           By Thread  

Current thread:
  • SRT2003-05-08-1137 - ListProc mailing list ULISTPROC_UMASK overflow KF (May 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]