SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Elm Vendors:   [Multiple Authors/Vendors]
Elm Buffer Overflow in SMTP 'Expires' Header Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1014745
SecurityTracker URL:  http://securitytracker.com/id/1014745
CVE Reference:   CVE-2005-2665   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 20 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.5 PL5, 2.5 PL6, and 2.5 PL7; possibly others
Description:   A vulnerability was reported in Elm. A remote user can cause arbitrary code to be executed on the target user's system.

The software does not properly parse SMTP Expires header lines. A remote user can send e-mail with a specially crafted Expires header value. Then, when the target user loads Elm or views the inbox, a buffer overflow will be triggered and arbitrary code may be executed. The code will run with the privileges of the target user.

Ulf Harnhammar reported this vulnerability.

Impact:   A remote user can cause arbitrary code to be executed on the target user's system with the privileges of the target user.
Solution:   Elm 2.5 PL8 (available at ftp://ftp.virginia.edu/pub/elm/) is not vulnerable.
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 24 2005 (Red Hat Issues Fix) Elm Buffer Overflow in SMTP 'Expires' Header Lets Remote Users Execute Arbitrary Code
Red Hat has released a fix.



 Source Message Contents

Subject:  [Full-disclosure] [RETRO AUDITING] Elm remote buffer overflow in


--wac7ysb48OaltWcw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Elm ( http://www.instinct.org/elm/ ) is a console-based e-mail
application. It suffers from a remotely exploitable buffer overflow
when parsing the Expires header of an e-mail message.

The attacker only needs to send the victim an e-mail message. When
the victim with that message in his or her inbox starts Elm or
simply views the inbox in an already started copy of Elm, the buffer
overflow will happen immediately. The overflow is stack-based,
and it gives full control over EIP, EBP and EBX. It is caused by a
bad sscanf(3) call, using a format string containing "%s" to copy
from a long char array to a shorter array.

This vulnerability affects at least the versions 2.5 PL7,
2.5 PL6, 2.5 PL5 and possibly others as well. It does not
affect Elm ME+ or the newly released Elm 2.5 PL8, available at
ftp://ftp.virginia.edu/pub/elm/ .

I have attached a patch (against Elm 2.5 PL7) and a test message
that exhibits this problem.

// Ulf Harnhammar


--wac7ysb48OaltWcw
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="elm-data.tar.gz"
Content-Transfer-Encoding: base64

H4sICKi4A0MAA2VsbS1kYXRhLnRhcgDtlW1r2zAQx/PW/hRHRyFNbFeW7bhxNlYYGQzGOpaV
DUoJri03HnYUJHld2Zef/JCSjHR5sbZj2/0I0l0kS6f7W2dWlHYaq/i493gQTRgEde+GAdns
1/Rc4ulJnk89r0dczwvcHgSPGNMdlVSxAOiVTMWVuH/evvH1Qdb9XwJb668Nh31b5YJJ/pWJ
rOA3zipWyeL396jzMfL9+/R3/SDc1p8Sn5IePEkS/3P9bdsGKZLjTnoncXiRGu54HNhkbNMx
uCeRTyMSOnd3FYbEJcQcDofbTxqUEP3Uie2GQGkUhBGljjfyxx4lIdVP6XHz9BRs37dCGDat
dvOlAhiUTMr4ms21GqqSExO+m2BIJapEgSphoHI9o3H1mFF7cz2wYLU1MW0jWWgVb7hI3YtP
b6fvLq3GoZuOt+n4m07QOhNz+CDrWJBxUV5V2cXIv6zDbY5Y8qVawAsgFqTxbWvcMr1bYy14
1VllvqwUa+1csbJOxrM8W6YsM+bvz2ZvPs9nZ+cfXk23E1TwJC7qbPSPJk2WR+M6y7o9+UWW
DdBIDrmskwlZLqTSLSvSxm9j5qJxdNQvAWYqXqaxSGEl+JWjVxgMjk3QCjSx6rClTOJl1tdF
hVlwcChh43dg6RTLldDRZP0uSfWkw8NUD+9uDyyos2q7+/qjWr+dUax30tE2B9Y0EnfidrJ2
gnZS6tWgli6DfrvmcwiOzD99XR+crfp/V/hLef2Ae+yp/8SjwU/f/1FAsP4/Ca8FLyNoD3fa
1JAFl8r8yHf8OauuvrBERTAtStD3KWMC1q+MOW0/AxGcPwFAwQMfAtPcFcq/d0sRBEEQBEEQ
BEEQBEEQBEEQBEEQBEH28wO8FfFfACgAAA==

--wac7ysb48OaltWcw
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--wac7ysb48OaltWcw--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC