[Full-Disclosure] iDEFENSE Security Advisory 08.24.04: CDE Mailer argv[0] Format String Vulnerability

idlabs-advisories_at_idefense.com
Date: 08/24/04

  • Next message: Rodrigo Barbosa: "[Full-Disclosure] Re: Hafiye-1.0 Terminal Escape Sequence Injection Vulnerability" 
    To: <idlabs-advisories@idefense.com>
Date: Tue, 24 Aug 2004 11:41:53 -0400

    CDE Mailer argv[0] Format String Vulnerability

    iDEFENSE Security Advisory 08.24.04
    www.idefense.com/application/poi/display?id=132&type=vulnerabilities
    August 24, 2004

    I. BACKGROUND

    CDE Mailer (dtmail) is the mail user agent (MUA) for CDE, which is
    installed on Solaris 8 and 9 by default. It provides an intuitive,
    easy-to-use GUI for reading, sending, and managing electronic mail.
    Dtmail supports both MIME and Sun Mail Tool message formats for reading
    and sending messages. In addition to local and NFS mailboxes, it also
    supports the use of IMAP4 for accessing remote mailboxes. Dtmail
    provides a mail-pervasive desktop environment by supporting the Mail(4)
    and Display(4) Media Exchange messages. Other applications can compose,
    send, and display electronic mail messages using the ToolTalk API and
    these Media Exchange messages.

    II. DESCRIPTION

    Exploitation of a format string vulnerability in the dtmail binary
    included with CDE can allow local attackers to gain mail group
    privileges.

    The vulnerability specifically exists due to improper usage of a
    formatted print function which allows a user supplied format to be
    processed via the argv[0] value. Local attackers can specify a special
    argv[0] containing format string characters to trigger the
    vulnerability and execute arbitrary code. Program arguments are copied
    onto the heap before being processed, so systems with non-executable
    stack protection are also easily affected.

    III. ANALYSIS

    Successful exploitation leads to group mail access. CDE is a widely
    deployed default desktop environment for UNIX operating systems. Gaining
    the ability to read other user email accounts, including root, could
    lead to exposure of highly sensitive data. The vulnerability is easily
    exploitable even when stack protections are enabled, furthering the
    impact of exposure.

    IV. DETECTION

    iDEFENSE has confirmed the existence of this vulnerability in Solaris 8
    and Solaris 9. It is believed that this vulnerability only affects the
    Solaris implementation of CDE Mailer.

    V. WORKAROUND

    iDEFENSE is currently unaware of a workaround for this vulnerability.

    VI. VENDOR RESPONSE

    The Sun advisory for this issue (SunAlert #57627) is available at:

    http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57627

    VII. CVE INFORMATION

    A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
    been assigned yet.

    VIII. DISCLOSURE TIMELINE

    03/04/2004 Initial vendor contact
                 (Opengroup.org)
    03/04/2004 iDEFENSE clients notified
    08/11/2004 Initial vendor response
                 (Opengroup.org - further coordination requested)
    04/19/2004 Initial vendor contact
                 (Hewlett-Packard, IBM, and Sun Microsystems)
    04/19/2004 Initial vendor response (Sun Microsystems)
    04/20/2004 Initial vendor response (Hewlett-Packard)
    08/24/2004 Public disclosure

    IX. CREDIT

    iDEFENSE Labs is credited with discovering this vulnerability.

    Get paid for vulnerability research
    http://www.idefense.com/poi/teams/vcp.jsp

    X. LEGAL NOTICES

    Copyright (c) 2004 iDEFENSE, Inc.

    Permission is granted for the redistribution of this alert
    electronically. It may not be edited in any way without the express
    written consent of iDEFENSE. If you wish to reprint the whole or any
    part of this alert in any other medium other than electronically, please
    email customerservice@idefense.com for permission.

    Disclaimer: The information in the advisory is believed to be accurate
    at the time of publishing based on currently available information. Use
    of the information constitutes acceptance for use in an as is condition.
    There are no warranties with regard to this information. Neither the
    author nor the publisher accepts any liability for any direct, indirect,
    or consequential loss or damage arising from use of, or reliance on,
    this information.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Rodrigo Barbosa: "[Full-Disclosure] Re: Hafiye-1.0 Terminal Escape Sequence Injection Vulnerability"

    Relevant Pages