[UNIX] Fetchmail Remote Vulnerability (Localhost @)

• Previous message: support@securiteam.com: "[NT] VisNetic WebSite XSS vulnerability through HTTP Referer header"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 15 Dec 2002 23:32:36 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Fetchmail Remote Vulnerability (Localhost @)
------------------------------------------------------------------------

SUMMARY

In the light of recent discoveries e-Matters reaudited Fetchmail and found
another buffer overflow within the default configuration. This heap
overflow can be used by remote attackers to crash it or to execute
arbitrary code with the privileges of the user running fetchmail.
Depending on the configuration this allows a remote root compromise.

DETAILS

Vulnerable systems:
 * Fetchmail version 6.1.3 and prior

When Fetchmail retrieves a mail it performs the so called reply-hack. This
basically means that all headers that contain addresses are searched for
local addresses (without @domain part). When such an address is found,
Fetchmail appends a @ and the hostname of the mail server to it. To avoid
unnecessary reallocating of the output buffer during this process
Fetchmail counts the number of addresses within the headerline first. Then
it reserves enough space for the case that all addresses are locals.
Unfortunately this calculation is wrong because it counts:
A) To many addresses and
B) Only takes the hostname in count and not the extra @ which is also
appended.

This means at the moment where you have enough (due to a) local addresses
within the headerline every additional address will overflow the buffer by
one byte. This results in an arbitrary size heap overflow, which was
proved to be exploitable on our Linux boxes. Due to the fact that this
heap overflow occurs in malloc()ed areas we believe that BSD systems can
only be crashed with this bug.

Finally it is important to mention that an attacker does not need to spoof
dns records, or control the mail server to exploit this bug. It is usually
enough to send a mail to the victim that contains specially crafted header
lines.
 
Vendor Response:
08. December 2002 A patch that fixes this vulnerability was mailed to the
vendor.
13. December 2002 Vendor released Fetchmail v6.2.0 which fixes this
vulnerability.

Recommendation:
If you are running Fetchmail we suggest to upgrade to a new or patched
version as soon as possible.

ADDITIONAL INFORMATION

The original advisory can be downloaded by going to:
 <http://security.e-matters.de/advisories/052002.html>
http://security.e-matters.de/advisories/052002.html

The information has been provided by <mailto:s.esser@e-matters.de> Stefan
Esser of e-Matters.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[NEWS] Multiple Mambo Site Server Security Weaknesses"
• Previous message: support@securiteam.com: "[NT] VisNetic WebSite XSS vulnerability through HTTP Referer header"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]