lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <06c9502e8bd74f4c5a35f6a392bf929d3f5f837d@user242.idefense.com>
From: labs at idefense.com (iDEFENSE Labs)
Subject: iDEFENSE Security Advisory 09.10.03: Two Exploitable Overflows in PINE

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 09.10.03:
http://www.idefense.com/advisory/09.10.03.txt
Two Exploitable Overflows in PINE
September 10, 2003

I. BACKGROUND

PINE (The Program for Internet News & Email) is a popular e-mail client
shipped with many Linux and Unix distributions. It was developed at the
University of Washington; more information is available at
http://www.washington.edu/pine/ .

II. DESCRIPTION

PINE contains two exploitable vulnerabilities that can be triggered
when a victim opens a specially crafted email sent by an attacker.

- --- Vulnerability 1: Buffer Overflow ---

A remotely exploitable buffer overflow exists within the parsing of the
message/external-body type attribute name/value pairs. Failure to check
that the length of the longest attribute is less than the space
available allows a maliciously formed e-mail message to overwrite
control structures. Careful modification of these values allows
arbitrary code execution. However, exploitation requires knowledge of
the targeted version of PINE.

A 20kb character array is declared as:

headers.h:
#define SIZEOF_20KBUF (20480)

pine.c:
char tmp_20k_buf[SIZEOF_20KBUF];

The tmp_20k_buf[] array is stored within the .bss section and
referenced with a character pointer 'd'.  The overflow occurs within
the following snippet of code from the display_parameters() routine in
mailview.c:

d = tmp_20k_buf;
if(parmlist = rfc2231_newparmlist(params)){
    while(rfc2231_list_params(parmlist) && d < tmp_20k_buf + 10000){
        sprintf(d, "%-*s: %s\n", longest, parmlist->attrib,
                parmlist->value ? strsquish(tmp_20k_buf + 11000,
                parmlist->value, 100)
                : "");
        d += strlen(d);
    }

Starting at 'd', the code adds spaces to the left of the string as
padding to make the total length of the parameter attribute string
equal to that of the 'longest'. Later displaying the Attribute
name/value pairs. Example:

Access-Type: ftp
        URL: ftp://localhost/pub/interesting.ps

Supplying any attribute name that is over 20kb in length will overflow
the buffer, eventually allowing for arbitrary code execution.


- --- Vulnerability 2: Integer Overflow ---

A remotely exploitable integer overflow exists in the parsing of e-mail
headers, allowing for arbitrary code execution upon the opening of a
malicious e-mail. The vulnerability exists within the
rfc2231_get_param() routine found in the strings.c file. A character
array of size 64 is declared:

#define RFC2231_MAX 64
...
char *pieces[RFC2231_MAX];

and indexed by the signed integer variable 'n':

if(n < RFC2231_MAX){
    pieces[n] = parms->value;

The variable 'n' is attacker-controlled and can be set to contain a
negative value that satisfies the if statement yet references an
out-of-bounds index within the pieces[] array. Arbitrary code execution
is possible by storing assembly code within the parms->value structure
and writing beyond the 64-byte character array, thereby overwriting the
stored instruction pointer on the stack.

III. ANALYSIS

If an attacker were to socially engineer a PINE user into opening a
malformed e-mail message, arbitrary code embedded within can then run
with privileges of the currently logged on user. It would be trivial
for this exploit to be fashioned into a worm, targeting e-mail
addresses found in any readable text files (inbox, etc.).

IV. DETECTION

PINE 4.56 and earlier is vulnerable.

V. VENDOR FIX

PINE 4.58, which fixes both of these issues, is available at
http://www.washington.edu/pine/getpine/ .

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the following identification numbers to these issues:

CAN-2003-0720: Vulnerability 1 - PINE buffer overflow in its handling
of the 'message/external-body' type.
CAN-2003-0721: Vulnerability 2 - PINE integer overflow in MIME header
parsing.

VII. DISCLOSURE TIMELINE

15 AUG 2003      Issues acquired by iDEFENSE
25 AUG 2003      Issues disclosed to pine@....washington.edu
25 AUG 2003      Response from Mark Crispin, University of Washington
26 AUG 2003      Issues disclosed to iDEFENSE clients
04 SEP 2003      Issues disclosed to Linux vendors: vendor-sec@....de
10 SEP 2003      Coordinated Public Disclosure

VIII. CREDIT

zen-parse (zen-parse@....net) discovered these vulnerabilities.


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@...fense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world - from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBP19IUfrkky7kqW5PEQJ3awCfY/2ScdjVnZAj9KDzj6QIt8MTkVsAoOWV
4DzDuqzJICAPOFj5DDcq4gZo
=C8eA
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ