From: "Dmitry V. Levin" <ldv@altlinux.org> To: ALT Devel discussion list <devel@altlinux.ru> Subject: [devel] [labs@idefense.com: iDEFENSE Security Advisory 09.10.03: Two Exploitable Overflows in PINE] Date: Thu, 11 Sep 2003 00:41:02 +0400 Message-ID: <20030910204102.GA17561@basalt.office.altlinux.org> (raw) [-- Attachment #1: Type: text/plain, Size: 5494 bytes --] Поскольку maintainer этого пакета, как выяснилось, был в отъезде и ещё не приехал, а пользователей у pine'а почти не осталось, то желающие могут зафиксить пакет самостоятельно. ----- Forwarded message from iDEFENSE Labs <labs@idefense.com> ----- Date: Wed, 10 Sep 2003 16:03:04 -0400 From: "iDEFENSE Labs" <labs@idefense.com> To: bugtraq@securityfocus.com Subject: iDEFENSE Security Advisory 09.10.03: Two Exploitable Overflows in PINE iDEFENSE Security Advisory 09.10.03: http://www.idefense.com/advisory/09.10.03.txt Two Exploitable Overflows in PINE September 10, 2003 I. BACKGROUND PINE (The Program for Internet News & Email) is a popular e-mail client shipped with many Linux and Unix distributions. It was developed at the University of Washington; more information is available at http://www.washington.edu/pine/ . II. DESCRIPTION PINE contains two exploitable vulnerabilities that can be triggered when a victim opens a specially crafted email sent by an attacker. --- Vulnerability 1: Buffer Overflow --- A remotely exploitable buffer overflow exists within the parsing of the message/external-body type attribute name/value pairs. Failure to check that the length of the longest attribute is less than the space available allows a maliciously formed e-mail message to overwrite control structures. Careful modification of these values allows arbitrary code execution. However, exploitation requires knowledge of the targeted version of PINE. A 20kb character array is declared as: headers.h: #define SIZEOF_20KBUF (20480) pine.c: char tmp_20k_buf[SIZEOF_20KBUF]; The tmp_20k_buf[] array is stored within the .bss section and referenced with a character pointer 'd'. The overflow occurs within the following snippet of code from the display_parameters() routine in mailview.c: d = tmp_20k_buf; if(parmlist = rfc2231_newparmlist(params)){ while(rfc2231_list_params(parmlist) && d < tmp_20k_buf + 10000){ sprintf(d, "%-*s: %s\n", longest, parmlist->attrib, parmlist->value ? strsquish(tmp_20k_buf + 11000, parmlist->value, 100) : ""); d += strlen(d); } Starting at 'd', the code adds spaces to the left of the string as padding to make the total length of the parameter attribute string equal to that of the 'longest'. Later displaying the Attribute name/value pairs. Example: Access-Type: ftp URL: ftp://localhost/pub/interesting.ps Supplying any attribute name that is over 20kb in length will overflow the buffer, eventually allowing for arbitrary code execution. --- Vulnerability 2: Integer Overflow --- A remotely exploitable integer overflow exists in the parsing of e-mail headers, allowing for arbitrary code execution upon the opening of a malicious e-mail. The vulnerability exists within the rfc2231_get_param() routine found in the strings.c file. A character array of size 64 is declared: #define RFC2231_MAX 64 ... char *pieces[RFC2231_MAX]; and indexed by the signed integer variable 'n': if(n < RFC2231_MAX){ pieces[n] = parms->value; The variable 'n' is attacker-controlled and can be set to contain a negative value that satisfies the if statement yet references an out-of-bounds index within the pieces[] array. Arbitrary code execution is possible by storing assembly code within the parms->value structure and writing beyond the 64-byte character array, thereby overwriting the stored instruction pointer on the stack. III. ANALYSIS If an attacker were to socially engineer a PINE user into opening a malformed e-mail message, arbitrary code embedded within can then run with privileges of the currently logged on user. It would be trivial for this exploit to be fashioned into a worm, targeting e-mail addresses found in any readable text files (inbox, etc.). IV. DETECTION PINE 4.56 and earlier is vulnerable. V. VENDOR FIX PINE 4.58, which fixes both of these issues, is available at http://www.washington.edu/pine/getpine/ . VI. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the following identification numbers to these issues: CAN-2003-0720: Vulnerability 1 - PINE buffer overflow in its handling of the 'message/external-body' type. CAN-2003-0721: Vulnerability 2 - PINE integer overflow in MIME header parsing. VII. DISCLOSURE TIMELINE 15 AUG 2003 Issues acquired by iDEFENSE 25 AUG 2003 Issues disclosed to pine@cac.washington.edu 25 AUG 2003 Response from Mark Crispin, University of Washington 26 AUG 2003 Issues disclosed to iDEFENSE clients 04 SEP 2003 Issues disclosed to Linux vendors: vendor-sec@lst.de 10 SEP 2003 Coordinated Public Disclosure VIII. CREDIT zen-parse (zen-parse@gmx.net) discovered these vulnerabilities. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world - from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com . ----- End forwarded message ----- -- ldv [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
next reply other threads:[~2003-09-10 20:41 UTC|newest] Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top 2003-09-10 20:41 Dmitry V. Levin [this message] 2003-09-10 20:58 ` Denis Ovsienko 2003-09-10 21:10 ` Dmitry V. Levin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20030910204102.GA17561@basalt.office.altlinux.org \ --to=ldv@altlinux.org \ --cc=devel@altlinux.ru \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux Team development discussions This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \ devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru public-inbox-index devel Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.devel AGPL code for this site: git clone https://public-inbox.org/public-inbox.git