[<prev] [next>] [day] [month] [year] [list]
Message-ID: <759b5202a9c1271617e41999a18a6be63f5f8380@user242.idefense.com>
Date: Wed, 10 Sep 2003 16:03:04 -0400
From: "iDEFENSE Labs" <labs@...fense.com>
To: bugtraq@...urityfocus.com
Subject: iDEFENSE Security Advisory 09.10.03: Two Exploitable Overflows in PINE
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 09.10.03:
http://www.idefense.com/advisory/09.10.03.txt
Two Exploitable Overflows in PINE
September 10, 2003
I. BACKGROUND
PINE (The Program for Internet News & Email) is a popular e-mail client
shipped with many Linux and Unix distributions. It was developed at the
University of Washington; more information is available at
http://www.washington.edu/pine/ .
II. DESCRIPTION
PINE contains two exploitable vulnerabilities that can be triggered
when a victim opens a specially crafted email sent by an attacker.
- --- Vulnerability 1: Buffer Overflow ---
A remotely exploitable buffer overflow exists within the parsing of the
message/external-body type attribute name/value pairs. Failure to check
that the length of the longest attribute is less than the space
available allows a maliciously formed e-mail message to overwrite
control structures. Careful modification of these values allows
arbitrary code execution. However, exploitation requires knowledge of
the targeted version of PINE.
A 20kb character array is declared as:
headers.h:
#define SIZEOF_20KBUF (20480)
pine.c:
char tmp_20k_buf[SIZEOF_20KBUF];
The tmp_20k_buf[] array is stored within the .bss section and
referenced with a character pointer 'd'. The overflow occurs within
the following snippet of code from the display_parameters() routine in
mailview.c:
d = tmp_20k_buf;
if(parmlist = rfc2231_newparmlist(params)){
while(rfc2231_list_params(parmlist) && d < tmp_20k_buf + 10000){
sprintf(d, "%-*s: %s\n", longest, parmlist->attrib,
parmlist->value ? strsquish(tmp_20k_buf + 11000,
parmlist->value, 100)
: "");
d += strlen(d);
}
Starting at 'd', the code adds spaces to the left of the string as
padding to make the total length of the parameter attribute string
equal to that of the 'longest'. Later displaying the Attribute
name/value pairs. Example:
Access-Type: ftp
URL: ftp://localhost/pub/interesting.ps
Supplying any attribute name that is over 20kb in length will overflow
the buffer, eventually allowing for arbitrary code execution.
- --- Vulnerability 2: Integer Overflow ---
A remotely exploitable integer overflow exists in the parsing of e-mail
headers, allowing for arbitrary code execution upon the opening of a
malicious e-mail. The vulnerability exists within the
rfc2231_get_param() routine found in the strings.c file. A character
array of size 64 is declared:
#define RFC2231_MAX 64
...
char *pieces[RFC2231_MAX];
and indexed by the signed integer variable 'n':
if(n < RFC2231_MAX){
pieces[n] = parms->value;
The variable 'n' is attacker-controlled and can be set to contain a
negative value that satisfies the if statement yet references an
out-of-bounds index within the pieces[] array. Arbitrary code execution
is possible by storing assembly code within the parms->value structure
and writing beyond the 64-byte character array, thereby overwriting the
stored instruction pointer on the stack.
III. ANALYSIS
If an attacker were to socially engineer a PINE user into opening a
malformed e-mail message, arbitrary code embedded within can then run
with privileges of the currently logged on user. It would be trivial
for this exploit to be fashioned into a worm, targeting e-mail
addresses found in any readable text files (inbox, etc.).
IV. DETECTION
PINE 4.56 and earlier is vulnerable.
V. VENDOR FIX
PINE 4.58, which fixes both of these issues, is available at
http://www.washington.edu/pine/getpine/ .
VI. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the following identification numbers to these issues:
CAN-2003-0720: Vulnerability 1 - PINE buffer overflow in its handling
of the 'message/external-body' type.
CAN-2003-0721: Vulnerability 2 - PINE integer overflow in MIME header
parsing.
VII. DISCLOSURE TIMELINE
15 AUG 2003 Issues acquired by iDEFENSE
25 AUG 2003 Issues disclosed to pine@....washington.edu
25 AUG 2003 Response from Mark Crispin, University of Washington
26 AUG 2003 Issues disclosed to iDEFENSE clients
04 SEP 2003 Issues disclosed to Linux vendors: vendor-sec@....de
10 SEP 2003 Coordinated Public Disclosure
VIII. CREDIT
zen-parse (zen-parse@....net) discovered these vulnerabilities.
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to listserv@...fense.com, subject line: "subscribe"
About iDEFENSE:
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world - from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
iQA/AwUBP19IUfrkky7kqW5PEQJ3awCfY/2ScdjVnZAj9KDzj6QIt8MTkVsAoOWV
4DzDuqzJICAPOFj5DDcq4gZo
=C8eA
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists