lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: idlabs-advisories at idefense.com (idlabs-advisories@...fense.com)
Subject: iDEFENSE Security Advisory 08.24.04: CDE Mailer argv[0] Format
 String Vulnerability

CDE Mailer argv[0] Format String Vulnerability

iDEFENSE Security Advisory 08.24.04
www.idefense.com/application/poi/display?id=132&type=vulnerabilities
August 24, 2004

I. BACKGROUND

CDE Mailer (dtmail) is the mail user agent (MUA) for CDE, which is
installed on Solaris 8 and 9 by default. It provides an intuitive,
easy-to-use GUI for reading, sending, and managing electronic mail.
Dtmail supports both MIME and Sun Mail Tool message formats for reading
and sending messages. In addition to local and NFS mailboxes, it also
supports the use of IMAP4 for accessing remote mailboxes. Dtmail
provides a mail-pervasive desktop environment by supporting the Mail(4) 
and Display(4) Media Exchange messages. Other applications can compose,
send, and display electronic mail messages using the ToolTalk API and
these Media Exchange messages.

II. DESCRIPTION

Exploitation of a format string vulnerability in the dtmail binary
included with CDE can allow local attackers to gain mail group
privileges.

The vulnerability specifically exists due to improper usage of a
formatted print function which allows a user supplied format to be
processed via the argv[0] value.  Local attackers can specify a special
argv[0] containing format string characters to  trigger the
vulnerability and execute arbitrary code. Program arguments are copied
onto the heap before being processed, so systems with non-executable
stack protection  are also easily affected.

III. ANALYSIS

Successful exploitation leads to group mail access. CDE is a widely
deployed default desktop environment for UNIX operating systems. Gaining
the ability to read other user email accounts, including root, could
lead to exposure of highly sensitive data. The vulnerability is easily
exploitable even when stack protections are enabled, furthering the
impact of exposure.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in Solaris 8
and Solaris 9. It is believed that this vulnerability only affects the
Solaris implementation of CDE Mailer.

V. WORKAROUND

iDEFENSE is currently unaware of a workaround for this vulnerability.

VI. VENDOR RESPONSE

The Sun advisory for this issue (SunAlert #57627) is available at:

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57627

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

03/04/2004   Initial vendor contact
             (Opengroup.org)
03/04/2004   iDEFENSE clients notified
08/11/2004   Initial vendor response
             (Opengroup.org - further coordination requested)
04/19/2004   Initial vendor contact
             (Hewlett-Packard, IBM, and Sun Microsystems)
04/19/2004   Initial vendor response (Sun Microsystems)
04/20/2004   Initial vendor response (Hewlett-Packard)
08/24/2004   Public disclosure

IX. CREDIT

iDEFENSE Labs is credited with discovering this vulnerability.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@...fense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an as is condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ