lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 15 Feb 2017 11:26:32 +0100
From: X41 D-Sec GmbH Advisories <>
Subject: [FD] Advisory X41-2017-002: Multiple Vulnerabilities in ytnef

X41 D-Sec GmbH Security Advisory: X41-2017-002

Multiple Vulnerabilities in ytnef

Severity Rating: High
Confirmed Affected Versions: 1.9 and earlier
Confirmed Patched Versions: 1.9.1
Vendor: Yerase
Vendor URL:
Vector: Via file
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: public
CVE: not yet assigned
CVSS Score: 7.4

Summary and Impact
Multiple Heap Overflows, out of bound writes and reads, NULL pointer
dereferences and infinite loops have been discovered in ytnef 1.9 an
These could be exploited by tricking a user into opening a malicious
winmail.dat file.

Product Description
ytnef offers a library and utilities to extract the files from winmail.dat
files. winmail.dat files are send by Microsoft Outlook when forwarding files
via e-mail. The vendor was very responsive in providing a patched version.

Due to the big amount of issues found no detailed analysis is given here.
Almost all allocations were unchecked and out of bounds checks rarely
performed in the code.

In total 9 patches were generated for the following issues:

1. Null Pointer Deref / calloc return value not checked
2. Infinite Loop / DoS
3. Buffer Overflow in version field
4. Out of Bound Reads
5. Integer Overflow
6. Invalid Write and Integer Overflow
7. Out of Bounds read
8. Out of Bounds read and write
9. Directory Traversal using the filename

To detail some of the findings, here are excerpts from the quickly written
patch, which was send to the vendor:

Missing out of bounds checks:

	diff --git a/lib/ytnef.c b/lib/ytnef.c
	index ad92f15..5dd07a7 100644
	--- a/lib/ytnef.c
	+++ b/lib/ytnef.c
	@@ -55,6 +55,7 @@
	 #define MIN(x,y) (((x)<(y))?(x):(y))
 	#define ALLOCCHECK(x) { if(!x) { printf("Out of Memory\n"); exit(-1); } }
	+#define SIZECHECK(x) { if ((((char *)d - (char *)data) + x) >= size) {
 printf("Corrupted file\n"); exit(-1); } }

	 void TNEFFillMapi(TNEFStruct *TNEF, BYTE *data, DWORD size, MAPIProps *p);
 	void SetFlip(void);
	@@ -427,9 +428,11 @@ void TNEFFillMapi(TNEFStruct *TNEF, BYTE *data,
DWORD size, MAPIProps *p) {
	       length = -1;
	       if (PROP_ID(mp->id) >= 0x8000) {
	         // Read the GUID
	+        SIZECHECK(16);
	         memcpy(&(mp->guid[0]), d, 16);
	         d += 16;

	+        SIZECHECK(4);
	         length = SwapDWord((BYTE*)d, 4);

Infinite Loop:

	diff --git a/lib/ytnef.c b/lib/ytnef.c
	index 328e605..43b0e56 100644
	--- a/lib/ytnef.c
	+++ b/lib/ytnef.c
	@@ -546,6 +546,9 @@ void TNEFFillMapi(TNEFStruct *TNEF, BYTE *data,
DWORD size, MAPIProps *p) {
	         memcpy(vl->data, d, vl->size);
	+      default:
	+        printf("Bad file\n");
	+        exit(-1);
	     switch (PROP_ID(mp->id)) {

Buffer Overflow:

	diff --git a/lib/tnef-types.h b/lib/tnef-types.h
	index 7b6ad01..2a9709a 100644
	--- a/lib/tnef-types.h
	+++ b/lib/tnef-types.h
	@@ -103,7 +103,7 @@ typedef struct {
 	} TNEFMemInfo;
	 typedef struct {
	-  char version[10];
	+  char version[16];
	   variableLength from;
	   variableLength subject;
	   dtr dateSent;


Update to version 1.9.1 as released on

About X41 D-Sec GmbH
X41 D-Sec is a provider of application security services. We focus
on application code reviews, design review and security testing. X41 D-Sec
GmbH was founded in 2015 by Markus Vervier.
We support customers in various industries such as finance, software
development and public institutions.

2017-02-10	Issues found
2016-02-12	Vendor contacted
2016-02-12	Vendor replied
2016-02-12	CVE ID requested
2016-02-13	Pull request for patch send as per vendor request
2016-02-13	Issue 9 / Directory Traversal reported
2016-02-14	Issues fixed, 1.9.1 released
2016-02-15	Advisory release

X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen
T: +49 241 9809418-0, Fax: -9
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989
Geschäftsführer: Markus Vervier

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ