[NT] Two Exploitable Overflows in PINE (message/external-body type, e-mail headers)

From: SecuriTeam (support_at_securiteam.com)
Date: 09/14/03

  • Next message: SecuriTeam: "[UNIX] Buffer Overflow in MySQL (PASSWORD)" 
    To: list@securiteam.com
Date: 14 Sep 2003 14:30:26 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Two Exploitable Overflows in PINE (message/external-body type, e-mail
    headers)
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.washington.edu/pine/> PINE (The Program for Internet News &
    Email) is "a popular e-mail client shipped with many Linux and UNIX
    distributions. It was developed at the University of Washington".

    PINE contains two exploitable vulnerabilities that can be triggered when a
    victim opens a specially crafted email sent by an attacker.

    DETAILS

    Vulnerable Systems:
     * PINE version 4.56 and earlier is vulnerable.

    Immune Systems:
     * PINE version 4.58

    Buffer Overflow:
    A remotely exploitable buffer overflow exists within the parsing of the
    message/external-body type attribute name/value pairs. Failure to check
    that the length of the longest attribute is less than the space available
    allows a maliciously formed e-mail message to overwrite control
    structures. Careful modification of these values allows arbitrary code
    execution. However, exploitation requires knowledge of the targeted
    version of PINE.

    A 20kb character array is declared as:
    headers.h:
    #define SIZEOF_20KBUF (20480)

    pine.c:
    char tmp_20k_buf[SIZEOF_20KBUF];

    The tmp_20k_buf[] array is stored within the .bss section and referenced
    with a character pointer 'd'. The overflow occurs within the following
    snippet of code from the display_parameters() routine in mailview.c:
    d = tmp_20k_buf;
    if(parmlist = rfc2231_newparmlist(params)){
        while(rfc2231_list_params(parmlist) && d < tmp_20k_buf + 10000){
            sprintf(d, "%-*s: %s\n", longest, parmlist->attrib,
                    parmlist->value ? strsquish(tmp_20k_buf + 11000,
                    parmlist->value, 100)
                    : "");
            d += strlen(d);
        }

    Starting at 'd', the code adds spaces to the left of the string as padding
    to make the total length of the parameter attribute string equal to that
    of the 'longest'. Later displaying the Attribute name/value pairs.
    Example:
    Access-Type: ftp
            URL: ftp://localhost/pub/interesting.ps

    Supplying any attribute name that is over 20kb in length will overflow the
    buffer, eventually allowing for arbitrary code execution.

    Integer Overflow:
    A remotely exploitable integer overflow exists in the parsing of e-mail
    headers, allowing for arbitrary code execution upon the opening of a
    malicious e-mail. The vulnerability exists within the rfc2231_get_param()
    routine found in the strings.c file. A character array of size 64 is
    declared:

    #define RFC2231_MAX 64
    ..
    char *pieces[RFC2231_MAX];

    and indexed by the signed integer variable 'n':

    if(n < RFC2231_MAX){
        pieces[n] = parms->value;

    The variable 'n' is attacker-controlled and can be set to contain a
    negative value that satisfies the if statement yet references an
    out-of-bounds index within the pieces[] array. Arbitrary code execution is
    possible by storing assembly code within the parms->value structure and
    writing beyond the 64-byte character array, thereby overwriting the stored
    instruction pointer on the stack.

    Vendor Status:
    PINE 4.58, which fixes both of these issues, is available at
    <http://www.washington.edu/pine/getpine/>
    http://www.washington.edu/pine/getpine/

    Disclosure Timeline:
    15 AUG 2003 Issues acquired by iDEFENSE
    25 AUG 2003 Issues disclosed to pine@cac.washington.edu
    25 AUG 2003 Response from Mark Crispin, University of Washington
    26 AUG 2003 Issues disclosed to iDEFENSE clients
    04 SEP 2003 Issues disclosed to Linux vendors: vendor-sec@lst.de
    10 SEP 2003 Coordinated Public Disclosure

    CVE Information:
    CAN-2003-0720: PINE buffer overflow in its handling of the
    'message/external-body' type.
    CAN-2003-0721: PINE integer overflow in MIME header parsing.

    ADDITIONAL INFORMATION

    The original advisory can be found at:
    <http://www.idefense.com/advisory/09.10.03.txt>
    http://www.idefense.com/advisory/09.10.03.txt.

    The information has been provided by <mailto:labs@idefense.com> iDEFENSE
    Labs, the vulnerability was discovered by <mailto:zen-parse@gmx.net>
    zen-parse.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Buffer Overflow in MySQL (PASSWORD)"

    Relevant Pages