[UNIX] Mutt Controlled IMAP Server Buffer Overflow

From: support@securiteam.com
Date: 03/23/03

  • Next message: support@securiteam.com: "[UNIX] XSS Bugs in osCommerce" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 23 Mar 2003 16:28:52 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Mutt Controlled IMAP Server Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

    Mutt is a very popular small text-based MUA (Mail User Agent) for UNIX
    operating systems. For more information about Mutt, visit
    <http://www.mutt.org> http://www.mutt.org

    The Mutt Mail User Agent (MUA) has support for accessing remote mailboxes
    through the IMAP protocol.

    By controlling a malicious IMAP server and providing a specially crafted
    folder, an attacker can crash the mail reader and possibly force execution
    of arbitrary commands on the vulnerable system with the privileges of the
    user running Mutt.

    DETAILS

    Vulnerable systems:
     * Versions of Mutt up to, and including, 1.4.0 (stable)
     * Versions of Mutt up to, and including, 1.5.3 (unstable)

    Immune systems:
     * Mutt version 1.4.1 (stable branch) and Mutt version 1.5.4 (unstable)

    Solution/Vendor Information/Workaround:
    Mutt 1.4.1 (stable branch) and 1.5.4 (unstable) have been released with a
    fix for the vulnerability. These versions will soon be available from
    <ftp://ftp.mutt.org/mutt/> ftp://ftp.mutt.org/mutt/.

    Technical Description - Exploit/Concept Code:
    According to the RFC2060 (INTERNET MESSAGE ACCESS PROTOCOL - VERSION
    4rev1), section 5.1.3: "By convention, international mailbox names are
    specified using a modified version of the UTF-7 encoding described in
    [UTF-7]."

    When mutt has to convert from its internal representation in UTF-8 to
    UTF-7-like encoding it calls indirectly the function utf8_to_utf7() in
    module imap/utf7.c. The aforementioned function miscalculates the maximum
    output length; therefore, if one can control the IMAP server, it is
    possible to construct a folder name that will generate output at least 50%
    larger than the calculated maximum.

    These perl one-liners will generate two different folder names whose
    length is past the calculated maximum:

     perl -e 'print (chr(0x10) x 20)'
     perl -e 'print ((chr(0x10) . chr(0x41)) x 20)'

    The second produces a longer output after conversion. It might be
    necessary to increase the multiplier to see Mutt crash.

    A post-mortem analysis of the crashed process shows:
    #0 0x4207434f in _int_realloc () from /lib/i686/libc.so.6
    #1 0x42073416 in realloc () from /lib/i686/libc.so.6
    #2 0x080aafbd in safe_realloc (p=0xbfffe194, siz=121) at lib.c:96
    #3 0x080c58d2 in utf8_to_utf7 (u8=0x80f5708 "", u8len=0, u7=0xbfffe1d4,
        u7len=0x0) at utf7.c:237
    #4 0x080c5961 in imap_utf7_encode (s=0xbfffe1d4) at utf7.c:252
    #5 0x080c4cf7 in imap_munge_mbox_name (
        dest=0xbfffe720
    "imap://abcd@192.168.10.10/\020A\020A\020A\020A\020A\020A\020A\020A
    \020A\020A\020A\020A\020A\020A\020A\020A\020A\020A\020A\020A",
        dlen=1024,
        src=0x80f0e90
    "\020A\020A\020A\020A\020A\020A\020A\020A\020A\020A\020A\020A\020A
    \020A\020A\020A\020A\020A\020A\020A")
    at util.c:507
    #6 0x080bfe65 in imap_open_mailbox (ctx=0x80f0d78) at imap.c:548
    #7 0x08082cca in mx_open_mailbox (
        path=0xbfffedd0
    "imap://abcd@192.168.10.10/\020A\020A\020A\020A\020A\020A\020A\020A
    \020A\020A\020A\020A\020A\020A\020A\020A\020A\020A\020A\020A",
    flags=0,
        pctx=0x0) at mx.c:694
    #8 0x0805ff66 in mutt_index_menu () at curs_main.c:1032
    #9 0x08079083 in main (argc=3, argv=0xbffffa04) at main.c:841
    #10 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6

    gdb) x/10i $pc
    0x4207434f <_int_realloc+175>: testb $0x1,0x4(%eax,%esi,1)
    0x42074354 <_int_realloc+180>: jne 0x4207440b <_int_realloc+363>
    0x4207435a <_int_realloc+186>: mov 0xffffffe8(%ebp),%edi
    0x4207435d <_int_realloc+189>: add %eax,%edi
    0x4207435f <_int_realloc+191>: cmp 0xfffffff0(%ebp),%edi
    0x42074362 <_int_realloc+194>: jb 0x4207440b <_int_realloc+363>
    0x42074368 <_int_realloc+200>: mov 0x8(%esi),%edx
    0x4207436b <_int_realloc+203>: mov 0xc(%esi),%eax
    0x4207436e <_int_realloc+206>: mov %eax,0xc(%edx)
    0x42074371 <_int_realloc+209>: mov %edx,0x8(%eax)
    (gdb) p/x $eax
    $22 = 0x41424120
    (gdb) p/x $esi
    $23 = 0x80f2b70

    $22 is controlled by the attacker.

    Although we believe this vulnerability to be exploitable, further research
    is required to provide proof of concept code and a reliable exploitation
    method.

    Vendor status:
    Core Notification: 2003-03-11
    Notification acknowledged by Mutt: 2003-03-12
    Fix developed by Mutt: 2003-03-17
    Fix incorporated to releases of Mutt stable and unstable branches:
    2003-03-19
    Public announcement of fixed packages: 2003-03-19

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
     <http://www.coresecurity.com/common/showdoc.php?idx=310&idxseccion=10>
    http://www.coresecurity.com/common/showdoc.php?idx=310&idxseccion=10

    The information has been provided by <mailto:advisories@coresecurity.com>
    CORE Security Technologies Advisories.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: support@securiteam.com: "[UNIX] XSS Bugs in osCommerce"

    Relevant Pages

    • [Full-Disclosure] MDKSA-2003:041 - Updated mutt packages fix exploitable buffer overflow
      ... This vulnerability can be exploited by a malicious ... IMAP server to crash mutt or even execute arbitrary code with the ... Mandrake Linux 8.2/PPC: ... All packages are signed by MandrakeSoft for security. ...
      (Full-Disclosure)
    • [Full-disclosure] [ GLSA 200606-27 ] Mutt: Buffer overflow
      ... Mutt contains a buffer overflow that could result in arbitrary code ... execution. ... Security is a primary focus of Gentoo Linux and ensuring the ...
      (Full-Disclosure)
    • [ GLSA 200606-27 ] Mutt: Buffer overflow
      ... Mutt contains a buffer overflow that could result in arbitrary code ... execution. ... Security is a primary focus of Gentoo Linux and ensuring the ...
      (Bugtraq)
    • Re: [SLE] sux vs. xhost (WAS: Re: [SLE] Xlib)
      ... It's not that one doesn't care about security. ... >don't seem to consider Linux mailers a worthwhile target. ... who use mutt aren't easy to social engineer to just fire off anything at ...
      (SuSE)
    • [NT] CitectSCADA ODBC Service Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... are distributed in over 80 countries through a network of more than 500 ... A vulnerability was found in CitectSCADA that could allow a remote ...
      (Securiteam)