[33808] in bugtraq
metamail format string bugs and buffer overflows
daemon@ATHENA.MIT.EDU (Ulf =?iso-8859-1?b?SORybmhhbW1hcg=)
Wed Feb 18 15:26:32 2004
Message-ID: <1077133232.4033bfb05ce6d@webmail.uu.se>
Date: Wed, 18 Feb 2004 20:40:32 +0100
From: Ulf =?iso-8859-1?b?SORybmhhbW1hcg==?= <Ulf.Harnhammar.9485@student.uu.se>
To: bugtraq@securityfocus.com
Cc: vulnwatch@vulnwatch.org, full-disclosure@lists.netsys.com,
PenetrationTesting@yahoogroups.com, sitic@pts.se
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="-MOQ107713323283a0effcacd661b6ada2e292e8f19400"
---MOQ107713323283a0effcacd661b6ada2e292e8f19400
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
metamail format string bugs and buffer overflows
PROGRAM: metamail
VENDOR: Bell Communications Research, Inc. (Bellcore)
DOWNLOAD URLs: ftp://thumper.bellcore.com/pub/nsb/
http://ftp.funet.fi/pub/unix/mail/metamail/
VULNERABLE VERSIONS: 2.2, 2.4, 2.5, 2.6, 2.7, possibly others
IMMUNE VERSIONS: 2.7 with my patch applied
REFERENCES: CAN-2004-0104 (format string bugs)
CAN-2004-0105 (buffer overflows)
* DESCRIPTION *
"Metamail is an implementation of MIME, the Multipurpose Internet
Mail Extensions, a proposed standard for multimedia mail on the
Internet. Metamail implements MIME, and also implements extensibility
and configuration via the "mailcap" mechanism described in an
informational RFC that is a companion to the MIME document."
"In general, users will never run metamail directly. Instead,
metamail will be invoked for the user automatically by the user's
mail reading program, whenever a non-text message is to be viewed."
(quoted from the program's documentation)
metamail is one of the packages or ports in SUSE Linux, Debian
GNU/Linux, Slackware Linux, Mandrake Linux, Gentoo Linux, Turbolinux,
PLD Linux, FreeBSD, NetBSD, OpenBSD and old versions of Red Hat
Linux, among others.
There are several newsreaders (tin, slrn, nn), mailreaders (elm)
and antivirus programs (antimime, older versions of AMaViS) that
pass MIME messages from the network directly to metamail.
* SUMMARY *
I have found two format string bugs and two buffer overflows in
metamail.
* TECHNICAL DETAILS *
The first format string bug occurs when a message has a
"multipart/alternative" media type and one of the body parts has a
"Content-Type" header with parameter names or values containing
formatting codes. It occurs because of two bad fprintf() statements
in the function SaveSquirrelFile() - yes, it's really called that -
in metamail.c. The file "testmail1" gives an example of this problem.
The second format string bug occurs when a message has encoded
non-ASCII characters in the mail headers (as described in RFC 2047),
an unknown encoding, and encoded text containing formatting codes. It
is caused by a bad printf() statement in the function PrintHeader()
in metamail.c. An example of this problem can be found in the file
"testmail2".
The first buffer overflow occurs when a message has encoded non-ASCII
characters in the mail headers and the part that names a character
set is overly long. The root of this problem is a bad strcpy()
statement in the function PrintHeader() in metamail.c. An example
of this can be found in the file "testmail3".
The second buffer overflow doesn't occur in the metamail executable,
but in the splitmail executable that's generated when you compile the
metamail package. This overflow occurs when a message has an overly
long Subject header. It is caused by a bad strcpy() statement in
the function ShareThisHeader() in splitmail.c. An example can be
found in the "testmail4.splitmail" file.
* PATCH AND TEST MESSAGES *
I have attached metamail.advisory-data.tar.gz, which contains the
four test messages mentioned above, as well as a patch that corrects
all four issues. The patch is diff'ed against version 2.7.
In case your system administrator doesn't like .tar.gz attachments,
I have also made this file available for downloading at
http://labben.abm.uu.se/~ulha9485/metamail.advisory-data.tar.gz
* TIMELINE *
metamail is unmaintained, so I contacted the vendor-sec list instead.
7 feb: the vendor-sec list (vendor-sec@lst.de) was contacted
9 feb: a coordinated release date was agreed upon
Friday 13 feb (the day of the W2K source leak): CAN references
were posted
18 feb: Slackware released their advisory and updates
18 feb: I release this advisory
* 31337 IRC KIDDIES *
K: "w0w d00d y4 ph0und b0th buphph3r 0v3rphl0wzZz 4nd ph0rm4t
zZztr1ng bugzZz 1n m3t4m41l!!!! buphph3r 0v3rphl0wzZz (th3 0nly
r34l s3cur1ty h0l3) 4r3 d4 k00l3zZzt but ph0rm4t zZztr1ng bugzZz
(th3 0th3r r34l s3cur1ty h0l3) 4r3 r33ly k00l 4zZzw3ll!!!! d0 y4
w4nn4 j01n 0ur h4ck3r gr0up 'h4ck3rzZz phr0m h3ll'??? w3 h4v3 4ll
th3 l4t3zZzt w1nd0wzZz w4r3zZz 4nd w3 h4v3 4 pr3s3nc3 0n 1rc phr0m
6 4m unt1l m1dn1ght c0z 0n3 0ph 0ur m3mb3rzZz' p4r3ntzZz l3t h1m
st4y up l4t3!!!11!1!!!1!!!"
U: "Virgin."
// Ulf Harnhammar
kses - PHP HTML/XHTML filter (no XSS)
http://sourceforge.net/projects/kses
---MOQ107713323283a0effcacd661b6ada2e292e8f19400
Content-Type: application/gzip; name="metamail.advisory-data.tar.gz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="metamail.advisory-data.tar.gz"
H4sICN2XM0AAA21ldGFtYWlsLmFkdmlzb3J5LWRhdGEudGFyAO1Y/W/aOBjm1/FXvIc0lRYCcUKg
DVC667V3lfp1N7rTqZsmFxxIL3Gi2GnHnfq/n50ECB8Z3YY6TZenVR3s98N+P564uIRjF9tODQ8f
bOYFE2WIOa4XtglVbagtwxCjqraajYUxQQGpKmq0kG40mwUVGSpSC2BsdRcZCBnHAUDBFYEIg2y5
Tes/KNz1+Z9N+5gPxt/oQyRTbTYaWfnXkaEv5b/V1FAB1K2ccAP+5/lXFAVmyR7UPGf4Ch0cNBRV
U1ALVM00WiY6qM0aFSoym8VKpZJSe6WJFpcqagtQy9R1E+krKkdHoCBN1aoHUEnGo6MiSFh+YFNu
lb2QW34VSsce5YRyhU98YsJrVqpCMtUXM7vtRMsLoHzfVdtw3zm+xgF22Q0jwzZUKve78G8stM48
tKEkjCgZ64mt2/sPQqiSZSTeVVo021/3Gf7eYSckX+A0LR/JPq2P5Xv6ngrvEK/2A0yZgzk5o37I
+95VyMVYjj6dXlch0TqhA29o09GxNyTLsZd5FOnTqi2oROP+LI+2BWVnoDEeDFy/PBjjgBFeheuA
PBzHH3YXEiMlYI9pVdhLhG0aMiIONA+WNOZPyikbVUiE05ESYjRLrgrM/od4VnlhIynl1PztGlFQ
AH0QSdx5r+6k0yzrj2ndlGhbnkYWINMWDjoNjs1C3ydBuRxSZo8oGUZb3JVau9Ff4YV7jveYIZPy
/pQkQk8SoetinCYiVQ9P89QQkVQC3S6cXB5f/XJ2+evHy6vLE7nRWbST4uGfeAWlI5TMxwU4XY3t
A3EYSR+2vgd/jjEX8XHESRjYDP44eXN+/hfceaOQVeEu5IAdB9wJkKTQRP5Cy5Kivu0TxQtsUXDi
6IE9GnOg3mOtVoO9+tzJxd991z+1HXKJXVJOnmWTCT5jvmPzFUJDio5A003xixprCS2lt8xohqk1
1zKa3kQy/nKY90Eq5j/dnCftIA5eYuHdPRnw0mIb7A1EyqksMHOnvVL5b2Odn0OrKgorEl1X+GvE
ZnU/X1so+/n07apgRtEHhIcBLatLrLN61EGKw+Pzfu9XXY41yLj/ccKiTkDb8LHh/qe2VGPp/tds
6kZ+/3sJnAaea8KNY0EnPuGR4w2wM/YYPyz2vcylhClM6CeVAsiUb0RXEL9gAUnpd+EIbAp8TATx
Dyfg44CzneltQpHXCTkn+JuTgBUvzi5OlHfiyfaoCaimFtOSJrihw21po44doUAxtx9IW5gO6RAH
k270UBQvgPhhUZmTT7zuO9im7WSX8SbFHrul1zT+KRWLF4QxPCJy35F0pPhZo2PuOis2tQWjHSlz
2BkTPDzscJs75DDl57f+xXmnHk936pFQsSMDtioUzXYil4ezTSnKtzDrhv7XtlFjm/pfby7//y/6
X8/7/yUQ93+3d/b2StnfNw4U1DvvTWu3181ihS9SWOUKLYMrokXZAoIG4NHmYwhpIK6tIyruJ8PZ
bXEjV0Sd+SguoeSBBMXi3G9+CVnChv7Xt+FjQ/8jXVvz/m/m/f8SmPb/TY4cn0fv956khY/Zb4Vn
cb9uCra3LBKAJ8jZcrzHKfPHxD/91uarSV7PSf752MD/jdrsS5Gv97Hp/me0lvhfE+Jazv8vgZj/
l/s26uaVydVebsD3JqUfDSmeauQ8lSNHjhw5cuTIkeOl8R9uPOS2ACgAAA==
---MOQ107713323283a0effcacd661b6ada2e292e8f19400--
