[NT] Gaucho Email Client Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 08/26/04

  • Next message: SecuriTeam: "[UNIX] CDE Mailer argv[0] Format String" 
    To: list@securiteam.com
Date: 26 Aug 2004 11:00:51 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Gaucho Email Client Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

     <http://homepage1.nifty.com/nakedsoft/> Gaucho is "an Email client
    developed by NakedSoft for Microsoft Windows platforms. Gaucho supports
    SMTP, POP3 and other email delivery protocols".

    Gaucho is vulnerable to a buffer overflow when it receives a malformed
    email containing a arbitrary long Content-Type field.

    DETAILS

    Vulnerable Systems:
     * Gaucho 1.4 Build 145

    Immune Systems:
     * Gaucho 1.4 Build 151

    Technical Details:
    Gaucho version 1.4 Build 145 is vulnerable to a buffer overflow that is
    triggered if Gaucho receives a specially crafted email that has an
    abnormally long string in the Content-Type field of the email header. This
    string will overwrite EIP via SEH, and can be exploited to execute
    arbitrary code. A sample email that will trigger the overflow is shown
    below.

     Date: Mon, 09 Aug 2004 19:44:13 +0800
     Subject: Testing
     To: a@aaaaaa.xxx
     From: XX <xx@xxxxxxxx.xxx.xx>
     Message-ID: <GM109205179359A000.b76.xx@xxxxxxxx.xxx.xx>
     MIME-Version: 1.0
     Content-Type: AAAAAAAAAAAAA[approx. 280 chars]...; charset=US-ASCII
     Content-Transfer-Encoding: 7bit
     X-Mailer: Gaucho Version 1.4.0 Build 145

    Vendor Status:
    Author has fixed the vulnerability in Version 1.4 Build 151. Users are
    advised to upgrade to the fixed version. The patched build can be
    downloaded from the following link.
     <http://homepage1.nifty.com/nakedsoft/Gaucho/Gaucho14.html>
    http://homepage1.nifty.com/nakedsoft/Gaucho/Gaucho14.html

    Proof Of Concept
    Proof-of-concept code to validate this vulnerability can be downloaded
    from this URL
     <http://www.security.org.sg/vuln/gaucho140poc.cpp>
    http://www.security.org.sg/vuln/gaucho140poc.cpp

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:chewkeong@security.org.sg>
    Chew Keong TAN.
    The original article can be found at:
    <http://www.security.org.sg/vuln/gaucho140.html>
    http://www.security.org.sg/vuln/gaucho140.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] CDE Mailer argv[0] Format String"

    Relevant Pages