[VulnWatch] iDEFENSE Security Advisory 09.10.03: Two Exploitable Overflows in PINE

From: iDEFENSE Labs (labs_at_idefense.com)
Date: 09/10/03

  • Next message: NSFOCUS Security Team: "[VulnWatch] NSFOCUS SA2003-06 : Microsoft Windows RPC DCOM Interface Heap Overflow Vulnerability"
    To: vulnwatch@vulnwatch.org
    Date: Wed, 10 Sep 2003 16:03:05 -0400

    Hash: SHA1

    iDEFENSE Security Advisory 09.10.03:
    Two Exploitable Overflows in PINE
    September 10, 2003


    PINE (The Program for Internet News & Email) is a popular e-mail client
    shipped with many Linux and Unix distributions. It was developed at the
    University of Washington; more information is available at
    http://www.washington.edu/pine/ .


    PINE contains two exploitable vulnerabilities that can be triggered
    when a victim opens a specially crafted email sent by an attacker.

    - --- Vulnerability 1: Buffer Overflow ---

    A remotely exploitable buffer overflow exists within the parsing of the
    message/external-body type attribute name/value pairs. Failure to check
    that the length of the longest attribute is less than the space
    available allows a maliciously formed e-mail message to overwrite
    control structures. Careful modification of these values allows
    arbitrary code execution. However, exploitation requires knowledge of
    the targeted version of PINE.

    A 20kb character array is declared as:

    #define SIZEOF_20KBUF (20480)

    char tmp_20k_buf[SIZEOF_20KBUF];

    The tmp_20k_buf[] array is stored within the .bss section and
    referenced with a character pointer 'd'. The overflow occurs within
    the following snippet of code from the display_parameters() routine in

    d = tmp_20k_buf;
    if(parmlist = rfc2231_newparmlist(params)){
        while(rfc2231_list_params(parmlist) && d < tmp_20k_buf + 10000){
            sprintf(d, "%-*s: %s\n", longest, parmlist->attrib,
                    parmlist->value ? strsquish(tmp_20k_buf + 11000,
                    parmlist->value, 100)
                    : "");
            d += strlen(d);

    Starting at 'd', the code adds spaces to the left of the string as
    padding to make the total length of the parameter attribute string
    equal to that of the 'longest'. Later displaying the Attribute
    name/value pairs. Example:

    Access-Type: ftp
            URL: ftp://localhost/pub/interesting.ps

    Supplying any attribute name that is over 20kb in length will overflow
    the buffer, eventually allowing for arbitrary code execution.

    - --- Vulnerability 2: Integer Overflow ---

    A remotely exploitable integer overflow exists in the parsing of e-mail
    headers, allowing for arbitrary code execution upon the opening of a
    malicious e-mail. The vulnerability exists within the
    rfc2231_get_param() routine found in the strings.c file. A character
    array of size 64 is declared:

    #define RFC2231_MAX 64
    char *pieces[RFC2231_MAX];

    and indexed by the signed integer variable 'n':

    if(n < RFC2231_MAX){
        pieces[n] = parms->value;

    The variable 'n' is attacker-controlled and can be set to contain a
    negative value that satisfies the if statement yet references an
    out-of-bounds index within the pieces[] array. Arbitrary code execution
    is possible by storing assembly code within the parms->value structure
    and writing beyond the 64-byte character array, thereby overwriting the
    stored instruction pointer on the stack.


    If an attacker were to socially engineer a PINE user into opening a
    malformed e-mail message, arbitrary code embedded within can then run
    with privileges of the currently logged on user. It would be trivial
    for this exploit to be fashioned into a worm, targeting e-mail
    addresses found in any readable text files (inbox, etc.).


    PINE 4.56 and earlier is vulnerable.


    PINE 4.58, which fixes both of these issues, is available at
    http://www.washington.edu/pine/getpine/ .


    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    has assigned the following identification numbers to these issues:

    CAN-2003-0720: Vulnerability 1 - PINE buffer overflow in its handling
    of the 'message/external-body' type.
    CAN-2003-0721: Vulnerability 2 - PINE integer overflow in MIME header


    15 AUG 2003 Issues acquired by iDEFENSE
    25 AUG 2003 Issues disclosed to pine@cac.washington.edu
    25 AUG 2003 Response from Mark Crispin, University of Washington
    26 AUG 2003 Issues disclosed to iDEFENSE clients
    04 SEP 2003 Issues disclosed to Linux vendors: vendor-sec@lst.de
    10 SEP 2003 Coordinated Public Disclosure


    zen-parse (zen-parse@gmx.net) discovered these vulnerabilities.

    Get paid for security research

    Subscribe to iDEFENSE Advisories:
    send email to listserv@idefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world - from technical
    vulnerabilities and hacker profiling to the global spread of viruses
    and other malicious code. Our security intelligence services provide
    decision-makers, frontline security professionals and network
    administrators with timely access to actionable intelligence
    and decision support on cyber-related threats. For more information,
    visit http://www.idefense.com .

    Version: PGP 8.0.2

    -----END PGP SIGNATURE-----

  • Next message: NSFOCUS Security Team: "[VulnWatch] NSFOCUS SA2003-06 : Microsoft Windows RPC DCOM Interface Heap Overflow Vulnerability"

    Relevant Pages