[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Buffer Overflow in MIME-aware Mail and News Clients

Title: Buffer Overflow in MIME-aware Mail and News Clients
Released by: CERT
Date: 11th August 1998
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



=============================================================================

CERT* Advisory CA-98.10

Original issue date: August 11, 1998

Last Revised:   October 19, 1998

                Added vendor information for Compaq Computer Corporation



                A complete revision history is at the end of this file.





Topic: Buffer Overflow in MIME-aware Mail and News Clients



- -----------------------------------------------------------------------------



The CERT Coordination Center has received reports of a vulnerability in some

MIME-aware mail and news clients.



The CERT/CC team recommends updating any vulnerable mail or news clients

according to the information provided in Appendix A. In addition, network

administrators may be able to employ some risk mitigation strategies until

they are able to update all the vulnerable clients. These strategies are

described in Appendix B.



We will update this advisory as we receive additional information. Please

check our advisory files regularly for updates that relate to your site.



As of the publication date of this advisory, we have not received any

reports indicating this vulnerability has been successfully exploited.



- -----------------------------------------------------------------------------



I.   Description



A vulnerability in some MIME-aware mail and news clients could allow

an intruder to execute arbitrary code, crash the system, or gain

administrative rights on vulnerable systems. The vulnerability has

been discovered by Marko Laakso and Ari Takanen of the Secure

Programming Group of the University of Oulu. It has received

considerable public attention in the media and through reports

published by Microsoft, Netscape, AUSCERT, CIAC, NTBugTraq, and

others.



The vulnerability affects a number of mail and news clients in

addition to the ones which have been the subjects of those reports.





II.  Impact



An intruder who sends a carefully crafted mail message to a vulnerable

system can, under some circumstances, cause code of the intruder's

choosing to be executed on the vulnerable system. Additionally, an

intruder can cause a vulnerable mail program to crash unexpectedly.



Depending on the operating system on which the mail client is running

and the privileges of the user running the vulnerable mail client, the

intruder may be able to crash the entire system. If a privileged user

reads mail with a vulnerable mail user agent, an intruder can gain

administrative access to the system.





III. Solution



     A.  Obtain and install a patch for this problem as described in

         Appendix A.





     B.  Until you are able to install the appropriate patch, you may wish to

         install patches to sendmail or to use procmail filtering as described

         in Appendix B.





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Appendix A - Vendor Information



Below is a list of the vendors who have provided information for this

advisory. We will update this appendix as we receive additional information.

If you do not see your vendor's name, the CERT/CC did not hear from that

vendor. Please contact the vendor directly.





Caldera Inc.

============



Caldera is currently investigating these issues and in the process of

releasing a fix. Updated RPMs will be uploaded to:



        http://ftp.caldera.com/pub/OpenLinux/updates/1.2/011



                9d2a8ca516c3bbbe920a72d365780fe3  mutt-0.93.1-2.i386.rpm

                a20383c9c6f73aac56731ab65c9525fd  mutt-0.93.1-2.src.rpm





Compaq Computer Corporation

===========================

_______________________________________________________________________

SOURCE:                                 



(c) Copyright 1994, 1995, 1996, 1997, 1998 Compaq Computer Corporation.

    All rights reserved.



SOURCE: Compaq Computer Corporation

        Compaq Services

        Software Security Response Team USA



X-REF:  AUSCERT AA-98.04,

        CIAC I-077,

        CERT CA-98.10

Subj.   mime-aware mail clients



    This reported problem is not present for the as shipped,

    Compaq's Digital ULTRIX or Compaq's Digital UNIX

    Operating Systems Software.





                                 - Compaq Computer Corporation





Data General Corporation

========================



DG/UX is not vulnerable to this report as it includes no native utilities with

mime support.





Fujitsu

=======



Fujitsu's operating system, UXP/V, does not support any mail client

which can handle MIME encoding/decoding. Therefore, Fujitsu UXP/V is

not vulnerable.





Hewlett-Packard Company

=======================



The version of dtmail supplied by HP, as part of HP's CDE product, is

vulnerable. Patches in process.





Iris

====



Iris is aware of this problem and is investigating to determine if Lotus Notes

is vulnerable.





Microsoft Corporation

=====================



Previously released information regarding this vulnerability is

available from Microsoft at



      http://www.microsoft.com/security/bulletins/ms98-008.htm





Mutt

====



  Mutt versions up to 0.93.1(i) were vulnerable to a

  remotely exploitable buffer overflow.  The bug has been

  fixed as of mutt 0.93.2(i).  A patch was distributed on

  Usenet on July 29.



  Users of older versions should upgrade as soon as

  possible.



  Mutt 0.93.2(i) is available from

  http://ftp.guug.de/pub/mutt/



  The distribution files with their MD5 checksums:



  diff-0.93.1-0.93.2.gz    39918e8c27e1a762af77052ea1164dbb

  diff-0.93.1i-0.93.2i.gz  aa08b3b3ade6e733c9bb01809199e3e7

  mutt-0.93.2i.tar.gz      9ce8f1020a638d07cb3772b1ebe9887d

  mutt-0.93.2.tar.gz       89a0888b1d25895cdc74f0999713f52b



  SHA1 checksums:



  diff-0.93.1-0.93.2.gz    326b4dd8479717ab1bc073a1a3eaa13ef6d551df

  diff-0.93.1i-0.93.2i.gz  1358d1462d76c1c41a2070bdf5eee1b60a216ee8

  mutt-0.93.2i.tar.gz      2a16bd1ee9edf24222d39998e80d8adafa6d45fa

  mutt-0.93.2.tar.gz       1048f600395b328783bf58dedddd9a18ad4e36d1



  Credits for noting this bug and giving a first fix on

  bugtraq go to Paul Boehm .





NCR

====



No products are affected.





NetBSD Foundation

=================



The NetBSD Foundation package system contains packages for mutt and pine. All

users should upgrade to the latest version of these packages as soon as

possible. Updated binary packages will become available on the NetBSD FTP

server as soon as possible, and will be announced on the

netbsd-announce@netbsd.org list. To join this list, or more information about

NetBSD, please see http://www.NetBSD.ORG/





Netscape

========



Previously released information regarding this vulnerability is

available from Netscape at



http://www.netscape.com/products/security/resources/bugs/longfile.html





OpenBSD

=======

Not affected. OpenBSD does not ship any of the affected products.





Pegasus Mail

============



We have conducted a strenuous examination of the equivalent code in

Pegasus Mail and can confirm that Pegasus Mail is *not* vulnerable

to this particular attack. Pegasus Mail handles attachments in a

different manner from the affected Netscape and Microsoft products,

and does proper bounds checking on filename lengths in all cases.



In the course of following up on this problem, we *have* unearthed a

related problem, though: there are conceivable scenarios where

Pegasus Mail may be made to crash when it attempts to parse a

particular class of improperly-formatted MIME headers. The crash

does not result from a buffer overflow, and hence has none of the

security ramifications of the Netscape/OE problem - the crash itself

is the worst that can happen. We have corrected this particular

parser problem for the v3.01c release of Pegasus Mail, which will be

out early next week.



To reiterate: Pegasus Mail is *not* vulnerable to the problem

currently being publicized.



Mercury users: our Mercury Mail Transport System is not currently

required to perform MIME parsing, and is hence completely immune

to this problem.





QUALCOMM Incorporated

=====================



Eudora Pro Email, Eudora Pro CommCenter and Eudora Light not

susceptible to buffer overflow security problem



QUALCOMM tested its line of Eudora email software after becoming aware

of the buffer overflow security problems recently found in Microsoft

and Netscape email programs. QUALCOMM is pleased to announce that its

Eudora email products are not susceptible to the types of attacks that

can harm the computers of users of these other products. QUALCOMM

tested the latest versions of Eudora Pro and Eudora CommCenter

versions 4.0, 4.0.1 and 4.1 (beta), as well as Eudora Pro and Eudora

Light versions 3.0 through 3.0.5 (Windows) and 3.1.3 (Mac). In all

cases, Eudora does not allow any unauthorized programs to be

automatically executed on a user's system by exploiting buffer

overflow flaws.



Internally, Eudora 4.0.1 (shipping) and 4.1 (beta) checks incoming

header sizes and in particular attachment name lengths and truncates

where appropriate to avoid buffer overrun. Previous versions of

Eudora, specifically the Windows Eudora versions 3.0 through 3.0.5 and

4.0, long attachment names under certain conditions could cause the

program to terminate prematurely, but most importantly, not in such a

way as to allow unauthorized execution of code. Upgrading to Windows

Eudora 4.0.1 or 4.0.2 (both shipping) or 4.1 (beta) resolves that

particular issue.



An unrelated security issue has recently been made public regarding

the use of Java scripts and attachments in email messages received by

Eudora 4.x.  Full details of this issue, along with links to Eudora

Pro 4.0.2 and 4.1 updaters is available at

<http://eudora.qualcomm.com/security.html>.  The available Eudora Pro

4.0.2 and 4.1 updaters correct the potential security risk.





The Santa Cruz Operation, Inc. (SCO)

====================================



The following SCO products are not vulnerable:



- - SCO CMW+

- - SCO Open Desktop / Open Server 3.0, SCO UNIX 3.2v4

- - SCO OpenServer 5, SCO Internet FastStart

- - SCO UnixWare 2.1



SCO UnixWare 7 dtmail may be vulnerable - investigation is

continuing.  Pending this investigation, SCO recommends that

dtmail not be used on UnixWare 7; mail may be safely read

using mailx or Netscape Navigator.





Sun Microsystems, Inc.

======================



Please refer to Sun Microsystems, Inc. Security Bulletin, "mailtool",

Number: 00175, distributed September 9, 1998 for additional information

relating to this vulnerability.



Patches and Checksums are available to all Sun customers via World Wide Web at:

        http://sunsolve.sun.com/sunsolve/pubpatches/patches.html>



Sun security bulletins are available via World Wide Web at:

        http://sunsolve.sun.com/pub-cgi/secbul.pl>



                                

University of Washington

========================



Pursuant to recent reports of vulnerability to mal-formed or malicious

MIME attachments, the UW Pine Team has corrected a few cases of

potential buffer overrun in the latest Pine Message System release,

version 4.02, that might cause Pine to crash when inordinately long

MIME-header information is encountered.



It has been speculated that these problems could be exploited to allow

a message sender to execute an arbitrary command on behalf of the

receiving user, although with no more privilege than the receiving

user.  While the UW Pine Team is not aware of any specific attacks

involving this bug, they have made a source patch available to address

this threat.



The source patch is available from:



        http://ftp.cac.washington.edu/pine/pine4.02A.patch



Or via links found within the Pine Information Center at:



        http://www.washington.edu/pine/



The patch is intended for the Pine Mail System version 4.02 (released

21 July 1998).  The file is in context-diff format, and should be

understood by the "patch" utility.  To update Pine 4.02 source, simply

copy the patch file into the same directory as the pine4.02 source

tree and type:



        patch -p < pine4.02A.patch



The UW Pine Team strongly encourages sites running version 4.00 or

greater to upgrade to the latest release, and apply the published

patch.  While versions prior to 4.00 are less sensitive to malicious

messages, upgrading to version 4.02A (including the patch) is

recommended.







~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Appendix B - Risk Mitigation



Although the vulnerability described in this advisory affects mail

user agents, it may be possible to reduce the risk by modifying mail

transfer agents to detect the vulnerability before it reaches the mail

user agent, or by filtering the message.



Below is a list of vendors who have provided us information on

strategies that can mitigate the risk. Note that these vendors are not

themselves vulnerable to this problem.



Sendmail, Inc.

==============



Sendmail, Inc. has produced a patch for version 8.9.1 of sendmail

as a service to their user base to assist system administrators

in proactively defending against these problems.

Sites who choose not to install the patch at this time will

not increase their exposure to the problem in this case.



This patch and installation instructions are available at

http://www.sendmail.com/sendmail.8.9.1a.html .



Note that the patch is specific to sendmail version 8.9.1 only.

If you are unable to upgrade to this version, do not attempt to

use the patch.



John Hardin

===========



John Hardin has modified his procmail Filters Kit to include filters

which may be able to assist sites in defending against these problems.



More information about the procmail Filters Kit is available at



http://www.wolfenet.com/~jhardin/procmail-security.html





- -----------------------------------------------------------------------------

Our thanks go to Marko Laakso and Ari Takanen of the Secure Programming

Group of the University of Oulu; Eric Allman and Gregory Shapiro

of Sendmail, Inc; AUSCERT; DFN-CERT; John Hardin; and Gene Spafford of

Purdue University for their input.

- -----------------------------------------------------------------------------



NO WARRANTY

- -----------



Any material furnished by Carnegie Mellon University and the Software

Engineering Institute is furnished on an "as is" basis. Carnegie

Mellon University makes no warranties of any kind, either expressed or

implied as to any matter including, but not limited to, warranty of

fitness for a particular purpose or merchantability, exclusivity or

results obtained from use of the material. Carnegie Mellon University

does not make any warranty of any kind with respect to freedom from

patent, trademark, or copyright infringement.



- ---------



If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident

Response and Security Teams (see http://www.first.org/team-info/).



CERT/CC Contact Information

- ----------------------------

Email    cert@cert.org



Phone    +1 412-268-7090 (24-hour hotline)

                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)

                and are on call for emergencies during other hours.



Fax      +1 412-268-6989



Postal address

         CERT Coordination Center

         Software Engineering Institute

         Carnegie Mellon University

         Pittsburgh PA 15213-3890

         USA



Using encryption

   We strongly urge you to encrypt sensitive information sent by email. We can

   support a shared DES key or PGP. Contact the CERT/CC for more information.

   Location of CERT PGP key

         http://ftp.cert.org/pub/CERT_PGP.key



Getting security information

   CERT publications and other security information are available from

        http://www.cert.org/

        http://ftp.cert.org/pub/



   CERT advisories and bulletins are also posted on the USENET newsgroup

        comp.security.announce



   To be added to our mailing list for advisories and bulletins, send

   email to

        cert-advisory-request@cert.org

   In the subject line, type

        SUBSCRIBE  your-email-address



- ---------------------------------------------------------------------------



Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff/legal_stuff.html and

http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



*CERT is registered in the U.S. Patent and Trademark Office.



- ---------------------------------------------------------------------------



This file:



        http://ftp.cert.org/pub/cert_advisories/CA-98.10.mime_buffer_overflows



        http://www.cert.org/advisories/CA-98.10-mime-buffer-overflows.html







~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Revision history



Oct. 19, 1998   Added vendor information for Compaq Computer Corporation



Sept. 18, 1998  Added vendor information for Sun Microsystems, Inc.



Aug. 12, 1998   Added vendor information, see Appendix A

                Updated risk mitigation information, see Appendix B



Aug. 11, 1998   Added vendor information for Pegasus Mail



-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBTB1Fr9kb5qlZHQEQL+XgCgyT9+voYguTu0b5qyKp7x64+E66oAnjQB

sQmYfQTBp9BFWW067emNg18L

=ZeZS

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.