Emil Buffer Overflows and Format String Flaws Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1009573
|
|
CVE Reference: CAN-2004-0152
, CAN-2004-0153
(Links to External Site)
|
Date: Mar 29 2004
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
|
Version(s): 2.1.0-beta9 and prior versions
|
Description: Some buffer overflow and format string vulnerabilities were reported in Emil. A remote user can execute arbitrary code on the target system.
Ulf Harnhammar reported that there are several buffer overflows in Emil [CVE: CAN-2004-0152]. The encode_mime(), encode_uuencode(),
and decode_uuencode() functions are affected. A remote user can reportedly send a specially crafted e-mail message to cause the
Emil filter to execute arbitrary code.
These overflow conditions can be triggered when converting files with long filenames from
MIME to uuencode, when parsing uuencoded files with long filenames, and when converting SUN Mailtool files with long filenames to
MIME format, the report said.
It is also reported that some of the code that prints error messages contains format string flaws
[CVE: CAN-2004-0153]. The impact of these errors was not determined.
|
Impact: A remote user can cause arbitrary code to be executed on the target system with the privileges of the emil process.
|
Solution: An unofficial patch is available in the Source Message [it is a Base64 encoded tar/gz file].
|
Cause: Boundary error, Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: <Ulf.Harnhammar.9485@student.uu.se>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 25 Mar 2004 21:31:50 +0100
From: Ulf =?iso-8859-1?b?SORybmhhbW1hcg==?= <Ulf.Harnhammar.9485@student.uu.se>
Subject: Re: [SECURITY] [DSA 468-1] New emil packages fix multiple vulnerabilities
|
---MOQ108024671013ff15bbe835157a1d2fccf9c24129de
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
"Emil v2 is a filter for converting Internet Messages. It supports
three basic formats: MIME, SUN Mailtool and plain old style RFC822."
It is an old program from SUNET (Swedish University NETwork).
Emil is one of the packages in SUSE Linux and Debian GNU/Linux. It
is also one of the ports in the FreeBSD Ports Collection.
The usual setup is that sendmail or procmail pipe messages from
the network to Emil.
At least versions 2.0.4, 2.0.5 and 2.1.0-beta9 are vulnerable to
several stack-based buffer overflows while parsing and otherwise
handling the filenames of attached files, while 2.1.0-beta9 also is
vulnerable to some rather obscure format string bugs while printing
error messages.
I have attached the archive emil.advisory-data.tar.gz, with a
security patch against 2.1.0-beta9 and three test messages.
testmail1 and run1.sh give an example of a buffer overflow that
occurs when converting files with long filenames from MIME to
uuencode.
testmail2 and run2.sh show a buffer overflow that occurs when
parsing uuencoded files with long filenames.
testmail3 and run3.sh show a buffer overflow that occurs when
converting SUN Mailtool files with long filenames to MIME.
--=20
Ulf Harnhammar
http://www.advogato.org/person/metaur/
---MOQ108024671013ff15bbe835157a1d2fccf9c24129de
Content-Type: application/gzip; name="emil.advisory-data.tar.gz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="emil.advisory-data.tar.gz"
H4sICA87Y0AAA2VtaWwuYWR2aXNvcnktZGF0YS50YXIA7Vv5U+LIHp9fyV/RsqWCGE0CSQyYKa5w
KIeGI8KuNZMLiOZgSADx1fvfX3cCiIg6U2u5+3bzKYeQdH/vo9Mho1uGeSJrM8N1Jgtckz359MtH
gyBSBEvT8EgQLJN6dlziC0kQSYJJ0kmW/EKQKTJFfAH0h2uyA1PXkycAfLF0T55OXp/33vj/KfSX
8fd017NkwyQ/SgYBg8ukUq/Fn2RIdiv+NMvC+BMfpcBb+JfHvzRxrDQ4D6zLmo4qmyPH9b5ibWfn
5dZUudNVLw3ayywBJFav1gW8q09cw7HTgDwhsIJje7rt4e3FWE8Da2p6xlieeKeW8aBrGaA4U1uT
Jwve/4JhOB58eU7m6Q/e6diUDTsD1JE8cXWP77TwXKtQrWLYhvxX6OXx2DRU2YNanT7gw0djnAG2
bOl8NBfiCdEnt01k2x3oE1ywVUcz7GEaKLKrMykMq6TcaqH6IF11IAXVX/Sl7qNC9QmNKi36N42Z
YqlTrTIicpfUtSuxxXruQdCSbEnp3teLJPE47hTyVbuZx5zLhkHQ/Wvxeu5c/mBPZ5PLfMma2HeT
+d3dlEuZ4/x1fVx11bIpcPepPj0y+xfm7Id6KSYve2pPlbr1hfeYx6aJcrFxo/UGD/fcoJ0SZ71J
21V+pKZi57GcSI1Up1+fCrbhyfUkO5+P5myLkDSletUmbqhFXioWUmb9xmhiHEFUDVccceZAHDQW
d8XRlO2Jvf4pc0227znirL+YqyWSrhdHF9aAbJ5qzXZ72BtLxmmZKrRo8UenpiSTDUw+pSS2arTK
UuNaeqgU5wXzcTxWK/KCmijtWYI0JheJPjc4HXYntGTP5nMBOpPn1/mL49in1/8b/Z/6KBnv9H8q
mdrR/6mw/38G/nz/pzBM0YeGDWCIwV/dzEL8fSBCtCDaEJ0AWJ0q3VYz+b3OubjXyEjn2TOmV4wd
4pUzNi7EDskKR+21Ml2uzXf3RS5ZO2KY2068e12LHcQFrB474ESOScGzXO6sWxfOy8e12KHQ5Cm+
lonu5SF16bxEC4ls9eY4WzmiDm5z5yUSzcti9Qyz34sd8AIf3btKM9cC1KHJ5ffqmW5P+EpdHdGQ
Kxyrwuvt8zLkEt2rnDH4JcfGW1gdnrXTB/vt2IHQgpqKPJNqRIvxDu9fpyFnPJcp9ZrwvMIx11e+
NYwgxg56UPM0w1fOSrfieau2lMO34AiaXc50b4ubslaS4tJxNlO6bSO7+WamSzSi2SoLZTVih7yA
fMCXUlmOgVwg96Vvsufd2xJ/yEO7U0cESyC7JVr0tTu4eu4535rbznl+r3DGXNcS36ssF3iynT6M
N3noH6zOQx78Qa553oWyDgSRPyxmMwdCAcptcezxEclywjnyohQXtqyAdvMlJLvThNog7Y8yXQFq
Twe2i3vQYwTUOIe0RVJgDuBNrkxKKB+w+slVlctIqTLUPHuGbC3HBY66ykLvFNJdWjwXr7JfNzJk
6YNGtJwVsb1o9vt37DumwzvDv7rN/m3xxvqf/CgZ76z/NMNu7//h+k+H6/9n4M+v/8mtbdcN3pra
eM7zZHVkwcvo9nYFLBgswjRbztb0gQy3h5sDmu6qE2Ps+bvJ5+MrSaZh624aEL/Ce7Wpwav2wFnv
bH5Orj+O9o5pYMLPhxPvweuECBEiRIgQIf512H1LwmFYy+LGipEn1UV+qiTVYU+i76uVhtO7uTCr
FdHpt/JPz07b7qUkceQF9eBWy3C8jJ6tduD30QjrUZ6p2nW3WjFnWktzlULegMSWanXN2nCcqg+d
y1aZG6mWiOYNFalEV8uaqRXyc1l6MKECs76R9zCFok29Nb/sQq5wcAwHCNWGTAp5pyc1Jv2bi0f4
nZDLJaJaNh+hlgtN6kwL9xek5l/vQsaNEaZY9AxecPrSw9w3RTIX1TJtypLm9CxuoT66SyHaI7yO
5toKxd1vC8KQpIskVNnioERtplDX08JwfAMlTasVzUT2a1Zn2JcgE8h86ZehSnGWVtGgyZ3L65vr
IaYkuwukmlKe+05b+8w3hSNVI3/Xkx7cWm580w98SMiVi5kGfaNBBlp5NFOpzhDrl82FVrkfKmXz
Dkp97N/UL8WbvgkZeEryYttXpmYhweQMaoI0v1QoE2refcR8uxf5kWJdQ3VHSFUkBYa+MevbYhKl
QXM+7ivJjg21HvaQmfaF2W/Nh9AtdzLVXaiL+RDTX+bFtGAPF4Uhz3/YhnbH/m8ytckTd/RREoL9
35u//6aY7f1fkiHD/d9n4Le9U8WwT90RhjIB4PnpVEcbJR2cg/UPweHjk38sdtc/9bn1n0y+qH+a
Cev/M7BV/09FT4VF/2/A7vpPfvL6T72sfzas/8/A9vpfsgxrc+1Phm3gH40d9e9fGsue+lEt4L3f
f1iC3Kp/hiTC+v8U4DgOUMmfqCeOqUVIjmNwAv6lAEmnk0ya5k7WbRokCIogsEQisSSJwNMUTlA4
xQASzmXTKerZdBhVLJsFOM0ck2cgERyyWQwEMAYgZqFEi1n4V1fDv3qLsX4Mom3hph2NxzEQ+Q/8
t5wHR+GM5YuAYI8HjU6tFsfwCOLkjieG7Q1iynQA6ffdpzcG/4Bnf0Sjx0D1jsFzJvEMlgio7U1y
13jUHf97/Jd4IU1109VfUckn+0mRq7kg8t+Vr3zOIPKay+qdWrt6lROXfgMg8BwAigJ4EENagqP4
UPdQ5Py3zWJLldfuRdzQO5P6wDB1wPMgVy82O/masHLytk319XudOURWdKaKqW+83bl2l6Ks7X7b
8l/jGGi/4fLnCvqhe0mKYvfTCr3DItBgmQmokXj+5A2P92TTdNQYekU23+w0ijWhARKA3qbVbe3n
KNk15crUF9Kh2jju55CvI6o/lj5mQcL/RNUH6WFeRZYphXLlI1PWZ47gH3whSIczFukAP0li2QKw
57mHfl99qmufA1RsV+KhqPhv8j7lA7q+wQcpHVAG3oTj1PoSOoGOdr2JNh37FqyH3suFF1KpV8QO
JrqOCCnkkrUzZE37NtJlTZ/ELMhx84fzlREo3gENcg2s3qdOB1v16unM7nbNpglqZ7t+InvWsuF8
Mk1wO1s2STIoXsEhiNfpEWihLANzwxuteYLxRJctWKfg6BTNGhgP31AHQf6IWcgUFMRVAJ2ppxxH
n14YhJ60ozt8uA6ET7CKBDpBoXiHHnl6PIY19Q3d0PhUyLVLVt4EKrdiNX4M5gdz8K/oMT4kBAke
kEEUYKYQQRVRKQq5JDhsrGK2kkhkNs4QH2cwQMvUmg1KADyIaQyxdF1VtgcxOHtlzv4R+Tu43T9K
/k7g7O3yDJXVypnxOMoFMo7c86t8aJLcyWpZZeA3Y6DpA1AU8p3y5uqsa7oyHQa5B7cD9qu3CWe7
bxN8ku2co9Lk2e6cY/0eERz8RhWJrBJH91t61Z7JpqEBuEZAMzx9AjwH4IM0QJ5yxjA7hyiez82J
RLaMifj9bLDk7HqwHifHQF92gt2jQYtbzgG/wRwxBr6CpjMcwnquNcvfpJzYqDbKx6tZEbh8I7uS
RBLZFRwCu3abNTDlYRrg+2r0WN1lR2TLjMhbVuwYfM2It2xYmkBzvgn+wTfhmQVgbQLaNMKwuGNd
NQbL/37hRwe8Gp7nRr1h0k8btGGPIIpPEyIv6AW42UmvushyGrI3lTpD9gaHIGQvNd9RJy8krJX/
OdUB2NDdF7OORCDJdaYT1b89C1aFv3oDESJEiBAhQoQIESJEiBAhQoQIESJEiBAhQoT42+F/NATx
NABQAAA=
---MOQ108024671013ff15bbe835157a1d2fccf9c24129de--
|
|
