‘Ecartis Contains Multiple Vulnerabilities’

Summary

Ecartis is ‘an open-source (GNU License) software package that administers mailing lists (similar to Majordomo and Listserv)’. Several security vulnerabilities have been found in the product allowing remote attackers to execute arbitrary code, and to remotely cause the product to reveal to them the administrative password used by Ecartis’ administrator.’

Credit:

‘The information has been provided by Timo Sirainen.’


Details

Vulnerable systems:
 * Ecartis version 1.0

Password disclosure:
Ecartis contains liscript that supports some variables and functions. User input is fully trusted in several places that allow calling those functions or viewing variables.

For example, send an email to ecartis@host.com:
subscribe secret-list
subscribe <$post-password>

The first command will fail, but it selects the secret-list as an active list. Second command will also fail, but the reply mail expands the post-password to the real password.

Multiple Buffer Overflows:
The product contains multiple buffer overflows. These have been fixed by the provided (unofficial) patch:

diff -ru ecartis-1.0.0-old/src/smtp.c ecartis-1.0.0/src/smtp.c
— ecartis-1.0.0-old/src/smtp.c Fri Apr 18 09:45:04 2003
+++ ecartis-1.0.0/src/smtp.c Thu Aug 14 17:30:24 2003
@@ -330,18 +330,19 @@
    return 1;
 }
 
-void smtp_body_822bis(const char *src, char *dest)
+void smtp_body_822bis(const char *src, char *dest, size_t size)
 {
     const char *ptr1;
–    char *ptr2;
+    char *ptr2, *end;
     int lastcr;
 
     lastcr = 0;
 
     ptr1 = src;
     ptr2 = dest;
+    end = dest + size – 2;
 
–    while(*ptr1) {
+    while(*ptr1 && ptr2 < end) {
        if ((*ptr1 == ‘n’) && (!lastcr)) {
           *ptr2++ = ‘r’;
        } else if (*ptr1 == ‘r’) {
@@ -367,7 +368,7 @@
 {
     char buffer[HUGE_BUF];
 
–    smtp_body_822bis(line,&buffer[0]);
+    smtp_body_822bis(line,&buffer[0], sizeof(buffer));
 
     clean_var(‘smtp-last-error’, VAR_TEMP);
     if (!sock_printf(my_socket,’%s’,buffer)) {
@@ -385,7 +386,7 @@
 
     buffer_printf(buffer2, sizeof(buffer2) – 1, ‘%srn’, line);
 
–    smtp_body_822bis(buffer2,&buffer[0]);
+    smtp_body_822bis(buffer2,&buffer[0], sizeof(buffer));
 
     clean_var(‘smtp-last-error’, VAR_TEMP);
     if (!sock_printf(my_socket,’%s’,buffer)) {
diff -ru ecartis-1.0.0-old/src/unhtml.c ecartis-1.0.0/src/unhtml.c
— ecartis-1.0.0-old/src/unhtml.c Fri Apr 18 09:45:04 2003
+++ ecartis-1.0.0/src/unhtml.c Thu Aug 14 17:43:03 2003
@@ -161,6 +161,25 @@
         case HTMLPARSE_NORMAL:
         case HTMLPARSE_EATTAG:
           {
+             /* Wordwrap */
+             if (linechars > 76) {
+                char tempbuf[1024];
+                *tptr = 0;
+                
+                tptr = strrchr(linebuffer,’ ‘);
+                if (!tptr) tptr = strrchr(linebuffer,’-‘);
+                if (!tptr) tptr = &tempbuf[76];
+
+                buffer_printf(tempbuf,1023,’%s’,
+                  (*tptr == ‘ ‘) ? tptr + 1 : tptr);
+                *tptr = 0;
+
+                newline(outfile,&linebuffer[0],indent,linemode);
+                buffer_printf(linebuffer,79,’%s’,tempbuf);
+                tptr = &linebuffer[strlen(linebuffer)];
+                linechars = strlen(linebuffer);
+                lastspace = 1;
+             }
              if (tempchar == ‘&’) {
                 memset(buffer, 0, sizeof(buffer));
                 tagptr = &buffer[0];
@@ -182,25 +201,6 @@
                    lastspace = (tempchar == ‘ ‘);
                 }
 
–                /* Wordwrap */
–                if (linechars > 76) {
–                   char tempbuf[1024];
–                   *tptr = 0;
–                ‘

Categories: UNIX