lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 4 Aug 2006 10:23:58 -0000
From: erdc@...o.or.id
To: bugtraq@...urityfocus.com
Subject: [ECHO_ADV_42$2006] BufferOverflow in Eremove Client

\_   _____/\_   ___ \ /   |   \\_____  \
 |    __)_ /    \  \//    ~    \/   |   \
 |        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
        \/         \/       \/         \/

                                        .OR.ID
ECHO_ADV_42$2006

---------------------------------------------------------------------------
[ECHO_ADV_42$2006] BufferOverflow in Eremove Client
---------------------------------------------------------------------------

Author       : Dedi Dwianto
Date         : Aug, 01st 2006
Location     : Indonesia, Jakarta
Web          : http://advisories.echo.or.id/adv/adv42-theday-2006.txt
Exploitation : Local 
Critical Lvl : High
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : Eremove
version     : 1.4
URL         : http://eremove.sourceforge.net/
Description :
Eremove is a simple application for linux, based on GTK, for logging into 
a POP3 mail account, quickly seeing a summary of everything that is there 
waiting for you, and previewing/deleteing some or all of those emails painlessly.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
The function priview_create  used by Eremove  is affected by a buffer-overflow
vulnerability which happens when it tries to store the exceeding data
available in the input email in the message_body  buffer of only 65534 bytes.

------------------gui.cpp-----------------------------
.....
gint preview_create (int message_num) {
        ...
        GtkWidget       *hbox;
        GtkWidget       *vscrollbar;
        char            *tmp_pntr;
        char            tmp_str[255];
        char            buf[65534];
        char            message_body[65534];
        gint            i;
	...
	        }
        if (!find_header_field("Date", buf, &date)) {
                date = (char *) malloc(strlen("unspecified")*sizeof(char));
                strcpy(date, "unspecified");
        }
        strcpy(message_body, buf);
	...
----------------------------------------------------------

POC:
~~~~
Send EMail with Attachment more than 100 KB
and Openwith eremove.
Eremove will be crash.
---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ My Lovely Jessy
~ newbie_hacker@...oogroups.com
~ #aikmel #e-c-h-o @irc.dal.net
~ SUPPORT PALESTINE & LEBANON
---------------------------------------------------------------------------
Contact:
~~~~~~~~

     Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ