[UNIX] mutt mutt_decode_xbit() Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 09/08/05 

To: list@securiteam.com
Date: 8 Sep 2005 14:06:15 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  mutt mutt_decode_xbit() Buffer Overflow
------------------------------------------------------------------------

SUMMARY

" <http://www.mutt.org/> Mutt is a small but very powerful text-based mail
client for UNIX operating systems."

By sending a maliciously crafted email to the mutt program an attacker can
cause the program to execute arbitrary code.

DETAILS

The problem is in the mutt attachment/encoding/decoding functions,
specifically handler.c:mutt_decode_xbit() and the buffer bufi[BUFI_SIZE].

The variable 'l' is used as a counter to reference a position in the
buffer and under certain circumstances its value can be manipulated and
becomes much larger than the size of this buffer, thus overwriting other
memory with many possible consequences.

This counter should never exceed the size and I believe the logic in the
convert_to_state() function is supposed to reset it to 0, however there is
a flaw - There are other functions affected in the same way due to
copy/paste, such as mutt_decode_uuencoded().

Proof of Concept :
Mutt buffer overflow POC.
Discovered by Frank Denis <j@42-networks.com>

-- snip snip --

Relevant Pages

  • [NEWS] Mutt menu_pad_string() Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Mutt has issued a fix for a buffer overflow that can be triggered by ... int cols = COLS - shift; ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [UNIX] LibSPF2 DNS TXT Record Parsing Bug
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... LibSPF2 DNS TXT Record Parsing Bug ... rdlen byte buffer. ...
    (Securiteam)
  • [EXPL] NetTerms NetFTPd Buffer Overflow (USER, Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Win32 telnet client software - "NetTerm is a network terminal which can ... NetTerm's NetFTPd has a buffer overflow on authentication buffer. ... def setebpaddr: ...
    (Securiteam)
  • [UNIX] Conquest Client Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Conquest Client Buffer Overflow ... SP_CLIENTSTAT is a type of packet used by the server for sending some ...
    (Securiteam)
  • [EXPL] Pavuk Digest Authentication Buffer Overflow Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Authentication Buffer Overflow Vulnerabilities, a buffer overflow ... char *method; ... * the auth_digest pointer, the user pointer, and the buf pointer. ...
    (Securiteam)