Gaucho Buffer Overflow in Processing Mail Headers Via POP3 Lets Remote Servers Execute Arbitrary Code
|
SecurityTracker Alert ID: 1011032 |
SecurityTracker URL: http://securitytracker.com/id/1011032
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 23 2004
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 1.4 Build 145
|
Description:
Tan Chew Keong of SIG^2 reported a vulnerability in the Gaucho e-mail client. A remote POP3 server can execute arbitrary code on a connected client.
It is reported that a POP3 server can send a specially crafted Content-Type e-mail header value to a connected Gaucho client to trigger a buffer overflow and execute arbitrary code.
A demonstration exploit header is provided:
Date: Mon, 09 Aug 2004 19:44:13 +0800
Subject: Testing
To: a@aaaaaa.xxx
From: XX <xx@xxxxxxxx.xxx.xx>
Message-ID: <GM109205179359A000.b76.xx@xxxxxxxx.xxx.xx>
MIME-Version: 1.0
Content-Type: AAAAAAAAAAAAA[approx. 280 chars]...; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Mailer: Gaucho Version 1.4.0 Build 145
A demonstration exploit is available at:
http://www.security.org.sg/vuln/gaucho140poc.cpp
The vendor was reportedly notified on August 10, 2004.
The original advisory is available at:
http://www.security.org.sg/vuln/gaucho140.html
|
Impact:
A remote server can execute arbitrary code on the target client when the client connects to the server.
|
Solution:
The vendor has issued a fixed version (1.4 Build 151), available at:
http://homepage1.nifty.com/nakedsoft/Gaucho/Gaucho14.html
|
Vendor URL: homepage1.nifty.com/nakedsoft/Gaucho/Gaucho.html (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Subject: Gaucho 1.4 Email Client Buffer Overflow Vulnerability
|
SIG^2 Vulnerability Research Advisory
Gaucho 1.4 Email Client has Buffer Overflow Vulnerability when Receiving
Email Headers with Abnormally Long Content-Type Field
by Tan Chew Keong
Release Date: 23 Aug 2004
ADVISORY URL
http://www.security.org.sg/vuln/gaucho140.html
SUMMARY
Gaucho (http://homepage1.nifty.com/nakedsoft/) is an Email client
developed by NakedSoft for Microsoft Windows platforms. Gaucho supports
SMTP, POP3 and other email delivery protocols. Gaucho version 1.4 Build
145 is vulnerable to a buffer overflow when receiving malformed emails
from a POP3 server. This vulnerability is triggered if Gaucho receives
from the POP3 server, a specially crafted email that has an abnormally
long string in the Content-Type field of the email header. This string
will overwrite EIP via SEH, and can be exploited to execute arbitrary code.
TESTED SYSTEM
Gaucho 1.4 Build 145 on English Win2K SP4
DETAILS
Gaucho version 1.4 Build 145 is vulnerable to a buffer overflow that is
triggered if Gaucho receives from the POP3 server, a specially crafted
email that has an abnormally long string in the Content-Type field of
the email header. This string will overwrite EIP via SEH, and can be
exploited to execute arbitrary code. A sample email that will trigger
the overflow is shown below.
Date: Mon, 09 Aug 2004 19:44:13 +0800
Subject: Testing
To: a@aaaaaa.xxx
From: XX <xx@xxxxxxxx.xxx.xx>
Message-ID: <GM109205179359A000.b76.xx@xxxxxxxx.xxx.xx>
MIME-Version: 1.0
Content-Type: AAAAAAAAAAAAA[approx. 280 chars]...; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Mailer: Gaucho Version 1.4.0 Build 145
PATCH
Author has fixed the vulnerability in Version 1.4 Build 151. Users are
advised to upgrade to the fixed version. The patched build can be
downloaded from the following link.
http://homepage1.nifty.com/nakedsoft/Gaucho/Gaucho14.html
PROOF-OF-CONCEPT
Proof-of-concept code to validate this vulnerability can be downloaded
from this URL
http://www.security.org.sg/vuln/gaucho140poc.cpp
DISCLOSURE TIMELINE
09 Aug 04 - Vulnerability Discovered
10 Aug 04 - Initial Vendor Notification (no reply)
12 Aug 04 - Second Vendor Notification
14 Aug 04 - Author replied with fixed version
23 Aug 04 - Public Release
GREETINGS
All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html
"IT Security...the Gathering. By enthusiasts for enthusiasts."
|
|