Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Pine E-mail Client Buffer Overflows in Parsing Message Attributes Permit Remote Code Execution
|
|
SecurityTracker Alert ID: 1007672 |
|
SecurityTracker URL: http://securitytracker.com/id/1007672
|
|
CVE Reference:
CAN-2003-0720, CAN-2003-0721
(Links to External Site)
|
Updated: Dec 1 2003
|
Original Entry Date: Sep 10 2003
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 4.56 and prior versions
|
Description:
Two vulnerabilities were reported in the Pine e-mail client. A remote user can send e-mail that, when opened by the target user, will cause arbitrary code to be executed on the target user's system.
iDEFENSE reported that one of the vulnerabilities resides in the parsing of the message/external-body type attribute name/value pairs in the display_parameters() function in 'mailview.c'. A remote user can create an e-mail message where the length of the longest attribute is longer than the space allocated (SIZEOF_20KBUF = 20480 bytes) to hold the attribute.
The report also indicated that a separate integer overflow exists in the parsing of e-mail headers in the rfc2231_get_param() function in 'strings.c'. A remote user can cause an integer pointer to be set to a negative value that references an undefined index of a 64 byte character array, executing arbitrary user-supplied code.
|
Impact:
A remote user can send a specially crafted e-mail message that, when loaded by the target user, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.
|
Solution:
The vendor has released a fixed version (4.58), available at:
http://www.washington.edu/pine/getpine/
|
Vendor URL: www.washington.edu/pine/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 10 Sep 2003 16:03:04 -0400
Subject: iDEFENSE Security Advisory 09.10.03: Two Exploitable Overflows in PINE
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 09.10.03:
http://www.idefense.com/advisory/09.10.03.txt
Two Exploitable Overflows in PINE
September 10, 2003
I. BACKGROUND
PINE (The Program for Internet News & Email) is a popular e-mail client
shipped with many Linux and Unix distributions. It was developed at the
University of Washington; more information is available at
http://www.washington.edu/pine/ .
II. DESCRIPTION
PINE contains two exploitable vulnerabilities that can be triggered
when a victim opens a specially crafted email sent by an attacker.
- --- Vulnerability 1: Buffer Overflow ---
A remotely exploitable buffer overflow exists within the parsing of the
message/external-body type attribute name/value pairs. Failure to check
that the length of the longest attribute is less than the space
available allows a maliciously formed e-mail message to overwrite
control structures. Careful modification of these values allows
arbitrary code execution. However, exploitation requires knowledge of
the targeted version of PINE.
A 20kb character array is declared as:
headers.h:
#define SIZEOF_20KBUF (20480)
pine.c:
char tmp_20k_buf[SIZEOF_20KBUF];
The tmp_20k_buf[] array is stored within the .bss section and
referenced with a character pointer 'd'. The overflow occurs within
the following snippet of code from the display_parameters() routine in
mailview.c:
d = tmp_20k_buf;
if(parmlist = rfc2231_newparmlist(params)){
while(rfc2231_list_params(parmlist) && d < tmp_20k_buf + 10000){
sprintf(d, "%-*s: %s\n", longest, parmlist->attrib,
parmlist->value ? strsquish(tmp_20k_buf + 11000,
parmlist->value, 100)
: "");
d += strlen(d);
}
Starting at 'd', the code adds spaces to the left of the string as
padding to make the total length of the parameter attribute string
equal to that of the 'longest'. Later displaying the Attribute
name/value pairs. Example:
Access-Type: ftp
URL: ftp://localhost/pub/interesting.ps
Supplying any attribute name that is over 20kb in length will overflow
the buffer, eventually allowing for arbitrary code execution.
- --- Vulnerability 2: Integer Overflow ---
A remotely exploitable integer overflow exists in the parsing of e-mail
headers, allowing for arbitrary code execution upon the opening of a
malicious e-mail. The vulnerability exists within the
rfc2231_get_param() routine found in the strings.c file. A character
array of size 64 is declared:
#define RFC2231_MAX 64
...
char *pieces[RFC2231_MAX];
and indexed by the signed integer variable 'n':
if(n < RFC2231_MAX){
pieces[n] = parms->value;
The variable 'n' is attacker-controlled and can be set to contain a
negative value that satisfies the if statement yet references an
out-of-bounds index within the pieces[] array. Arbitrary code execution
is possible by storing assembly code within the parms->value structure
and writing beyond the 64-byte character array, thereby overwriting the
stored instruction pointer on the stack.
III. ANALYSIS
If an attacker were to socially engineer a PINE user into opening a
malformed e-mail message, arbitrary code embedded within can then run
with privileges of the currently logged on user. It would be trivial
for this exploit to be fashioned into a worm, targeting e-mail
addresses found in any readable text files (inbox, etc.).
IV. DETECTION
PINE 4.56 and earlier is vulnerable.
V. VENDOR FIX
PINE 4.58, which fixes both of these issues, is available at
http://www.washington.edu/pine/getpine/ .
VI. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the following identification numbers to these issues:
CAN-2003-0720: Vulnerability 1 - PINE buffer overflow in its handling
of the 'message/external-body' type.
CAN-2003-0721: Vulnerability 2 - PINE integer overflow in MIME header
parsing.
VII. DISCLOSURE TIMELINE
15 AUG 2003 Issues acquired by iDEFENSE
25 AUG 2003 Issues disclosed to pine@cac.washington.edu
25 AUG 2003 Response from Mark Crispin, University of Washington
26 AUG 2003 Issues disclosed to iDEFENSE clients
04 SEP 2003 Issues disclosed to Linux vendors: vendor-sec@lst.de
10 SEP 2003 Coordinated Public Disclosure
VIII. CREDIT
zen-parse (zen-parse@gmx.net) discovered these vulnerabilities.
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"
About iDEFENSE:
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world - from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
iQA/AwUBP19IUfrkky7kqW5PEQJ3awCfY/2ScdjVnZAj9KDzj6QIt8MTkVsAoOWV
4DzDuqzJICAPOFj5DDcq4gZo
=C8eA
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
