[UNIX] mutt mutt_decode_xbit() Buffer Overflow
From: SecuriTeam (support_at_securiteam.com)
Date: 09/08/05
- Next message: test_at_example.com: "TEST"
- Previous message: SecuriTeam: "[REVS] Understanding and Preventing DNS-related Attacks by Phishers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 8 Sep 2005 14:06:15 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
mutt mutt_decode_xbit() Buffer Overflow
------------------------------------------------------------------------
SUMMARY
" <http://www.mutt.org/> Mutt is a small but very powerful text-based mail
client for UNIX operating systems."
By sending a maliciously crafted email to the mutt program an attacker can
cause the program to execute arbitrary code.
DETAILS
The problem is in the mutt attachment/encoding/decoding functions,
specifically handler.c:mutt_decode_xbit() and the buffer bufi[BUFI_SIZE].
The variable 'l' is used as a counter to reference a position in the
buffer and under certain circumstances its value can be manipulated and
becomes much larger than the size of this buffer, thus overwriting other
memory with many possible consequences.
This counter should never exceed the size and I believe the logic in the
convert_to_state() function is supposed to reset it to 0, however there is
a flaw - There are other functions affected in the same way due to
copy/paste, such as mutt_decode_uuencoded().
Proof of Concept :
Mutt buffer overflow POC.
Discovered by Frank Denis <j@42-networks.com>
-- snip snip --
- Next message: test_at_example.com: "TEST"
- Previous message: SecuriTeam: "[REVS] Understanding and Preventing DNS-related Attacks by Phishers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NEWS] Mutt menu_pad_string() Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Mutt has issued a fix for
a buffer overflow that can be triggered by ... int cols = COLS - shift; ... In no
event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages. ... (Securiteam) - [EXPL] NetTerms NetFTPd Buffer Overflow (USER, Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Win32 telnet client software -
"NetTerm is a network terminal which can ... NetTerm's NetFTPd has a buffer overflow
on authentication buffer. ... def setebpaddr: ... (Securiteam) - [UNIX] Conquest Client Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Conquest Client Buffer Overflow
... SP_CLIENTSTAT is a type of packet used by the server for sending some ... (Securiteam) - [EXPL] Pavuk Digest Authentication Buffer Overflow Exploit
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Authentication Buffer Overflow
Vulnerabilities, a buffer overflow ... char *method; ... * the auth_digest pointer,
the user pointer, and the buf pointer. ... (Securiteam) - [NEWS] SAP Internet Graphics Service Buffer Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... SAP Internet Graphics Service
Buffer Overflow Vulnerability ... allow an attacker to execute remote code with the
privileges of the SAP ... (Securiteam)
