SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Fetchmail Vendors:   Raymond, Eric S.
Fetchmail Buffer Overflow in Processing Addresses Lets Remote Users Execute Arbitrary Code on the System
SecurityTracker Alert ID:  1005807
SecurityTracker URL:  http://securitytracker.com/id/1005807
CVE Reference:   CVE-2002-1365   (Links to External Site)
Updated:  Oct 21 2003
Original Entry Date:  Dec 13 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.1.3 and prior versions
Description:   A buffer overflow vulnerability was reported in Fetchmail. A remote user could execute arbitrary code on the system.

e-matters reported that a remote user can send an e-mail containing a specially crafted header to trigger a heap overflow in Fetchmail. This may cause the fetchmail service to crash, or could cause arbitrary code to be executed on the system.

The flaw is reportedly due to an incorrect buffer size calculation. According to the report, fetchmail allocates a buffer to contain addresses in an e-mail header. The local addresses in the header are then appended with an '@' character and the mail server hostname and stored in the buffer. The calculation reportedly fails to consider the '@' character in calculating the necessary buffer size. Fetchmail also reportedly processes too many addresses. The result is a potential heap overflow.

Impact:   A remote user can execute arbitrary code on the target system. This can occur when the target system's fetchmail process downloads a malicious e-mail message. The code will run with the privileges of the fetchmail process.
Solution:   The vendor has released a fixed version (6.2.0), available at:

http://www.tuxedo.org/~esr/fetchmail/

Vendor URL:  www.tuxedo.org/~esr/fetchmail/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Debian Issues Fix) Fetchmail Buffer Overflow in Processing Addresses Lets Remote Users Execute Arbitrary Code on the System
Debian has released a fix.
Oct 21 2003 (Immunix Issues Fix) Fetchmail Buffer Overflow in Processing Addresses Lets Remote Users Execute Arbitrary Code on the System
Immunix has released a fix.



 Source Message Contents

Subject:  [VulnWatch] Advisory 05/2002: Another Fetchmail Remote Vulnerability


                           e-matters GmbH
                          www.e-matters.de

                      -= Security  Advisory =-



     Advisory: Fetchmail remote vulnerability
 Release Date: 2002/12/13
Last Modified: 2002/12/13
       Author: Stefan Esser [s.esser@e-matters.de]

  Application: Fetchmail <= 6.1.3
     Severity: A vulnerability within Fetchmail could allow
               remote compromise.
         Risk: Critical
Vendor Status: Vendor released version 6.2.0
    Reference: http://security.e-matters.de/advisories/052002.html


Overview:
	
   In the light of recent discoveries we reaudited Fetchmail and found
   another bufferoverflow within the default configuration. This heap
   overflow can be used by remote attackers to crash it or to execute 
   arbitrary code with the privileges of the user running fetchmail. 
   Depending on the configuration this allows a remote root compromise.
 
	
Details:

   When Fetchmail retrieves a mail it performs the so called reply-hack.
   This basicly means that all headers that contain addresses are searched
   for local addresses (without @domain part). When such an address is
   found, Fetchmail appends an @ and the hostname of the mailserver to it.
   To avoid unnecessary reallocating of the output buffer during this
   process Fetchmail counts the number of addresses within the headerline
   first. Then it reserves enough space for the case that all addresses
   are locals. Unfourtunately this calculation is wrong because it counts
   a) to many addresses and b) only takes the hostname in count and not 
   the extra @ which is also appended. This means at the moment where you
   have enough (due to a) local addresses within the headerline every 
   additional address will overflow the buffer by one byte. This results
   in an arbitrary size heap overflow, which was proved to be exploitable
   on our Linux boxes. Due to the fact that this heapoverflow occurs in 
   malloc()ed areas we believe that BSD systems can only be crashed with
   this bug. 
    
   Finally it is important to mention that an attacker does not need
   to spoof dns records, or control the mailserver to exploit this bug.
   It is usually enough to send a mail to the victim that contains 
   specially crafted header lines.
   

Proof of Concept:

   e-matters is not going to release an exploit for this vulnerability to
   the public.
   

Vendor Response:

   08. December 2002  - A patch that fixes this vulnerability was mailed
                        to the vendor.

   13. December 2002  - Vendor released Fetchmail v6.2.0 which fixes 
                        this vulnerability.
                        

Recommendation:

   If you are running Fetchmail we suggest to upgrade to a new or patched 
   version as soon as possible.
   
   
GPG-Key:

   http://security.e-matters.de/gpg_key.asc
    
   pub  1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
   Key fingerprint = 43DD 843C FAB9 832A E5AB  CAEB 81F2 8110 75E7 AAD6


Copyright 2002 Stefan Esser. All rights reserved.





 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC