Elm Buffer Overflow in SMTP 'Expires' Header Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1014745|
SecurityTracker URL: http://securitytracker.com/id/1014745
(Links to External Site)
Updated: Jun 8 2008|
Original Entry Date: Aug 20 2005
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 2.5 PL5, 2.5 PL6, and 2.5 PL7; possibly others|
A vulnerability was reported in Elm. A remote user can cause arbitrary code to be executed on the target user's system.|
The software does not properly parse SMTP Expires header lines. A remote user can send e-mail with a specially crafted Expires header value. Then, when the target user loads Elm or views the inbox, a buffer overflow will be triggered and arbitrary code may be executed. The code will run with the privileges of the target user.
Ulf Harnhammar reported this vulnerability.
A remote user can cause arbitrary code to be executed on the target user's system with the privileges of the target user.|
Elm 2.5 PL8 (available at ftp://ftp.virginia.edu/pub/elm/) is not vulnerable.|
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [Full-disclosure] [RETRO AUDITING] Elm remote buffer overflow in|
Content-Type: text/plain; charset=us-ascii
Elm ( http://www.instinct.org/elm/ ) is a console-based e-mail
application. It suffers from a remotely exploitable buffer overflow
when parsing the Expires header of an e-mail message.
The attacker only needs to send the victim an e-mail message. When
the victim with that message in his or her inbox starts Elm or
simply views the inbox in an already started copy of Elm, the buffer
overflow will happen immediately. The overflow is stack-based,
and it gives full control over EIP, EBP and EBX. It is caused by a
bad sscanf(3) call, using a format string containing "%s" to copy
from a long char array to a shorter array.
This vulnerability affects at least the versions 2.5 PL7,
2.5 PL6, 2.5 PL5 and possibly others as well. It does not
affect Elm ME+ or the newly released Elm 2.5 PL8, available at
I have attached a patch (against Elm 2.5 PL7) and a test message
that exhibits this problem.
// Ulf Harnhammar
Content-Disposition: attachment; filename="elm-data.tar.gz"
Content-Type: text/plain; charset="us-ascii"
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/