[UNIX] HP Tru64 dtmail Local Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



HP Tru64 dtmail Local Buffer Overflow
------------------------------------------------------------------------


SUMMARY

The dtmail program is a desktop mail application. It provides an easy to
use interface for viewing, filing, composing and sending electronic mail
folders and mail messages.

dtmail provides a GUI-based interface for manipulating electronic mail
messages that can have attachments. Use the interface to compose a
message, view a message or a folder containing messages, load new mail
,copy or move messages from one folder to another, delete messages, reply
to messages, add and delete attachments to a message when composing, and
view the contents of attachments in a message. dtmail also supplies a
mail-pervasive desktop environment by providing a public Tooltalk API that
other clients can use to compose and send messages.

You can use dtmail as a Post Office Protocol (POP) to connect to mail
servers offering POP services. If you choose this option, you can also
select APOP authentication (if supported by your mail server) to encrypt
your user ID and password during communications with your network mail
server.

dtmail suffers from a buffer overflow vulnerability which could result in
the execution of arbitrary code.

DETAILS

Vulnerable Systems:
* dtmail version 5.1b

More specifically this vulnerability is triggered when using -a flag:
-a file1 ...fileN

Bring up a Compose window with file1 through fileN as attachments.

Technical Details:
This was tested against tru64 version 5.1b using a system (a working
display is required). The following gdb output demonstrates the
vulnerability.

gdb) r -a -a `perl -e 'print "A" x 9000'`
Starting program: /cluster/members/member0/tmp/dtmail -a `perl -e 'print
"A"x 9000'`
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...

Program received signal SIGSEGV, Segmentation fault.
warning: Hit heuristic-fence-post without finding
warning: enclosing function for address 0x4141414141414140
This warning occurs if you are debugging a function without any symbols
(for example, in a stripped executable). In that case, you may wish to
increase the size of the search with the `set heuristic-fence-post'
command.

Otherwise, you told GDB there was a function where there isn't one, or
(more likely) you have encountered a bug in GDB. 0x4141414141414140 in ??
()

Vendor Status:
HP was contacted and a patch has been created.


ADDITIONAL INFORMATION

The information has been provided by <mailto:advisories@xxxxxxxxxxxxx>
Netragard Security Advisories.
The original article can be found at:
<http://www.netragard.com/pdfs/research/HP-TRU64-DTMAIL-20060810.txt>
http://www.netragard.com/pdfs/research/HP-TRU64-DTMAIL-20060810.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [UNIX] Xmame Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Xmame Buffer Overflow ... (no debugging symbols found) ... Disable SUID root for all the installed xmame executables. ...
    (Securiteam)
  • [UNIX] Firebird Database Remote Database Name Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in Firebird Database's way of handling database names, ... GNU gdb 6.1-debian Copyright 2004 Free Software Foundation, ... This GDB was configured as "i386-linux"...(no debugging symbols ...
    (Securiteam)
  • [UNIX] Lantonix Secure Console Multiple Vulnerabilities (Buffer Overflow, Directory Traversal, Multi
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple security issues with Lantronix Secure Console Server allow ... (no debugging symbols found)......(no ...
    (Securiteam)
  • [UNIX] dtmail Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The following gdb output demonstrates the ... (no debugging symbols found)...... ... warning: ...
    (Securiteam)
  • [Full-disclosure] [NETRAGARD-20060810 SECURITY ADVISORY] [HP Tru64 dtmail Unchecked Buffer &
    ... Netragard is a unique I.T. Security company whose services are fortified ... by continual vulnerability research and development. ... public Tooltalk API that other clients can use to compose and send ... (no debugging symbols found)...... ...
    (Full-Disclosure)