Secure Network Operations, Inc. http://www.secnetops.com Strategic Reconnaissance Team research@secnetops.com Team Lead Contact kf@secnetops.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-05-08-1137 Product : ListProc Version : <= 8.2.09 Vendor : http://www.cren.net + http://www.listproc.net Class : local Criticality : Medium to Low Operating System(s) : Solaris 2.x, Linux, BSDI, FreeBSD, AIX High Level Explanation ************************************************************************ High Level Description : suid root catmail ULISTPROC_UMASK overflow What to do : chmod -s /path/to/catmail Technical Details ************************************************************************ Proof Of Concept Status : Secure Network Operations does have PoC code Low Level Description : In the middle of July last year The Corporation for Research and Educational Networking (CREN) was notified of a local buffer overflow in the program known as catmail. Catmail is a helper application for the mailing list server ListProc. ListProc is "the UNIX Mailing List Manager of choice" for a number of companies. On January 7, 2003 CREN has effectively ceased all operations including work with ListProc with the following statement: "We recommend that the Corporation for Research and Educational Networking (CREN) be dissolved effective as soon as appropriate. The effective date of dissolution will likely be in the first quarter of 2003. CREN Operations will cease effective as soon as appropriate." Prior to the company stopping operations SecNetOps was in contact with their development staff long enough to see that a fix was created for the above mentioned issue. Unfortunately at the time their staff was not on hand to thoroughly test the fix. SecNetOps did not have the facilities to compile the new version of catmail in efforts to test the fix on our own. The problem appeared to be caused by a series of strcat() sprintf() strcpy() and other easily abused function calls however we can not confirm that as fact. Currently ListProc has been moved to SourceForge however the status of this problem is not known. SecNetOps has not been in contact with CREN for a number of months. The current release on SourceForge has not been updated since March of 2002 so the fix is probably not available to the public. http://sourceforge.net/projects/listproc/ is the current home of ListProc. Zillion from Safemode.org was able to successfully exploit this problem in a SecNetOps lab setting. A functional exploit *may* be found at http://safemode.org. gentoo listproc $ head -n 12 List-Proc-catmail.pl #!/usr/bin/perl # # Quick hack for the ListProc catmail overflow found by KF (dotslash@snosoft.com) # Written by zillion (zillion@safemode.org) on July 23, 2002 # # Tested on version 8.2.09 # # [zillion@ghetto lp8]$ ./expl.pl -f ./catmail # The new return address: 0xbfffae1c # sh-2.05# id # uid=0(root) gid=1214(snosoft) groups=1214(snosoft),520(zillion) The buffer overflow in ULISTPROC_UMASK may not be the only issues present. We would suggest evaluating a *supported* mailing list solution. Patch or Workaround : chmod -s /path/to/catmail Vendor Status : Status unknown. Fix was created but not distributed. Bugtraq URL : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact research@secnetops.com for information on how to obtain exploit information.