[COVERT-2000-07] LISTSERV Web Archive Remote Overflow

[seclabs () NAI COM (COVERT Labs)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_____________________________________________________________________

                     Network Associates, Inc.
                  COVERT Labs Security Advisory
                         July 17, 2000

               LISTSERV Web Archive Remote Overflow

                         COVERT-2000-07
______________________________________________________________________

o Synopsis

The L-Soft LISTSERV web archive (wa,wa.exe) component contains an
unchecked buffer allowing remote execution of arbitrary code with
the privileges of the LISTSERV daemon.

RISK FACTOR: HIGH
______________________________________________________________________

o Vulnerable Systems

L-Soft LISTSERV Web Archives 1.8d (confirmed) and 1.8c (inferred) for
Windows 9x, Windows NT 3.5x, Windows NT 4.0, Windows 2000, UNIX (all
vendors), and OpenVMS VAX.

______________________________________________________________________

o Vulnerability Information

The web archive component distributed with L-Soft LISTSERV provides
administration services for mailing lists as well as giving users
the ability to subscribe, post and search the list over the web.

By sending a long QUERY_STRING to wa or wa.exe it is possible to
overwrite the stack with user defined data allowing the execution of
arbitrary code on the remote host.

This new vulnerability differs from a previous issue addressed on the
5th May 2000 discussed at:

http://www.lsoft.com/news/default.asp?item=advisory0

______________________________________________________________________

o Resolution

L-Soft has provided a patch for this issue.  Please see their
advisory for more information:

http://www.lsoft.com/news/default.asp?item=Advisory1

______________________________________________________________________

o Credits

This vulnerability was discovered by Barnaby Jack at the COVERT Labs
of PGP Security.

______________________________________________________________________

o Contact Information

For more information about the COVERT Labs at PGP Security, visit our
website at http://www.nai.com/covert or send e-mail to covert () nai com

______________________________________________________________________

o  Legal Notice

The information contained within this advisory is Copyright (C) 2000
Networks Associates Technology Inc.  It may be redistributed provided
that no fee is charged for distribution and that the advisory is not
modified in any way.

Network Associates and PGP are registered Trademarks of Network
Associates, Inc. and/or its affiliated companies in the United States
and/or other Countries.  All other registered and unregistered
trademarks in this document are the sole property of their respective
owners.

______________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>

iQA/AwUBOXN7iKF4LLqP1YESEQJJJACgvAtqCa2x7QNcc2T2bSqkRde2QkMAmwRy
bTg6GICsow7f3m8/3Xg3i0Xw
=EgIE
-----END PGP SIGNATURE-----