Evolution Format String Bugs in Processing vCards Allow Remote Users to Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1014670 |
|
SecurityTracker URL: http://securitytracker.com/id/1014670
|
|
CVE Reference:
CAN-2005-2549, CAN-2005-2550
(Links to External Site)
|
Updated: Aug 29 2005
|
Original Entry Date: Aug 13 2005
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): Evolution 1.5 to Evolution 2.3.6.1
|
Description:
Multiple vulnerabilities were identified in Evolution. A remote user can cause arbitrary code to be executed on the target user's system.
Several format string vulnerabilities exists in Evolution that result from the method used to process data from remote sources.
The first vulnerability involves viewing vCard data attached to an e-mail message. When a message of this type is opened, a condensed view of the vCard is displayed and the vulnerability exploit is not triggered. In order to be triggered, a user must view the entire vCard or perform a similar action such as saving the vCard in the address book and viewing the saved data in Contacts.
The flaw can be exploited by sending emails with malicious code in the vcards attachments sent to Evolution users.
The second format string vulnerability involves the display of contact data from remote LDAP servers.
The third format string vulnerability involves the display of task list data from
remote servers.
The fourth format string vulnerability involves using the Calendar tab to save task list data that is vulnerable to the third vulnerability described above. Other calendar entries that do not come from task lists are also affected.
Ulf Harnhammar of the Swedish IT Incident Centre (SITIC) reported the vulnerabilities.
|
Impact:
A remote user can cause arbitrary code to be executed on the target user's system. The code is typically executed with the privileges of the user, service, application that was used to activate the code.
|
Solution:
The vendor has issued a fixed version (2.3.7), available at:
ftp.gnome.org/pub/gnome/sources/evolution/
|
Vendor URL: www.ximian.com/ (Links to External Site)
|
Cause:
Input validation error, State error
|
Underlying OS:
Linux (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 10 Aug 2005 15:59:30 +0200
Subject: [Full-disclosure] Evolution multiple remote format string bugs
|
This is a multi-part message in MIME format.
------_=_NextPart_001_01C59DB3.BA8A08B4
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
* SITIC Vulnerability Advisory *
Advisory Name: Evolution multiple remote format string bugs
Advisory Reference: SA05-001
Date of initial release: 2005-08-10
Product: Evolution 1.5, 2.0, 2.1, 2.2, 2.3
Platform: Linux, BSD systems, Unix
Effect: Remote code execution
Vulnerability Identifier: Not assigned
Overview:
Evolution suffers from several format string bugs when handling data =
from
remote sources. These bugs lead to crashes or the execution of arbitrary
assembly language code.
Details:
1) The first format string bug occurs when viewing the full vCard data
attached to an e-mail message.
When opening an e-mail message, only a compact view of some of the =
fields
from the vCard is displayed, and this does not trigger the =
vulnerability.
To be affected, the user must click on Show Full vCard or perform =
similar
actions such as clicking on Save in Addressbook and then viewing the =
saved
data under the Contacts tab.
Why is this important? An attacker might notice that an organisation =
uses
Evolution, for instance after seeing the "X-Mailer: Evolution x.y.z" =
e-mail
header in their e-mails. He or she could then send out e-mail messages =
with
malicious vCards to many e-mail accounts at the organisation, in the =
hope
that some of the recipients will view the full vCard data sooner or =
later,
thus exposing the organisation to this format string bug.
2) The second format string bug occurs when displaying contact data from
remote LDAP servers.
3) The third format string bug occurs when displaying task list data =
from
remote servers.
4) The fourth, and least serious, format string bug occurs when the user
goes to the Calendars tab to save task list data that is vulnerable to
problem 3 above. Other calendar entries that do not come from task lists
are also affected.
Mitigating factors:
Users that never use any of the vulnerable features in Evolution are not
affected.
Affected versions:
o Evolution 1.5 to Evolution 2.3.6.1
Recommendations:
We recommend that users either upgrade to Evolution 2.3.7 (unstable) or
apply our unofficial patch to their Evolution installation.
Patch information:
Evolution 2.3.7 is available from the following source:
o http://ftp.gnome.org/pub/gnome/sources/evolution/
Our unofficial patch is available from our home page:
o http://www.sitic.se
Acknowledgments:
These vulnerabilities were discovered by Ulf Harnhammar for SITIC, =
Swedish
IT Incident Centre.
Contact information:
Swedish IT Incident Centre, SITIC
P O Box 5398, SE-102 49 Stockholm, Sweden
Telephone: +46-8-678 5799
Email: sitic at pts dot se
http://www.sitic.se
Revision history:
First published 2005-08-10
About SITIC:
The Swedish IT Incident Centre within the National Post and Telecom =
Agency
has the task to support society in working with protection against IT
incidents. SITIC facilitates exchange of information regarding IT =
incidents
between organisations in society, and disseminates information about new
problems which potentially may impede the functionality of IT systems. =
In
addition, SITIC provides information and advice regarding proactive =
measures
and compiles and publishes statistics.
Disclaimer:
The decision to follow or act on information or advice contained in this
Vulnerability Advisory is the responsibility of each user or =
organisation.
SITIC accepts no responsibility for any errors or omissions contained =
within
this Vulnerability Advisory, nor for any consequences which may arise =
from
following or acting on information or advice contained herein.
------_=_NextPart_001_01C59DB3.BA8A08B4
Content-Type: application/octet-stream;
name="evolution.formatstring.patch"
Content-Transfer-Encoding: base64
Content-Description: evolution.formatstring.patch
Content-Disposition: attachment;
filename="evolution.formatstring.patch"
LS0tIGNhbGVuZGFyL2d1aS9lLWNhbC1jb21wb25lbnQtcHJldmlldy5jLm9sZAkyMDA0LTA0LTE4
IDIwOjAxOjE5LjAwMDAwMDAwMCArMDIwMAorKysgY2FsZW5kYXIvZ3VpL2UtY2FsLWNvbXBvbmVu
dC1wcmV2aWV3LmMJMjAwNS0wOC0wMiAxMTo0NDo0OS4wMDAwMDAwMDAgKzAyMDAKQEAgLTI4NSw3
ICsyODUsNyBAQCB3cml0ZV9odG1sIChHdGtIVE1MU3RyZWFtICpzdHJlYW0sIEVDYWwgCiAJCQkJ
CXN0ciA9IGdfc3RyaW5nX2FwcGVuZF9jIChzdHIsIHRleHQudmFsdWVbaV0pOwogCQkJfQogCi0J
CQlndGtfaHRtbF9zdHJlYW1fcHJpbnRmIChzdHJlYW0sIHN0ci0+c3RyKTsKKwkJCWd0a19odG1s
X3N0cmVhbV9wcmludGYgKHN0cmVhbSwgIiVzIiwgc3RyLT5zdHIpOwogCQkJZ19zdHJpbmdfZnJl
ZSAoc3RyLCBUUlVFKTsKIAkJfQogCi0tLSBhZGRyZXNzYm9vay9ndWkvd2lkZ2V0cy9lYWItY29u
dGFjdC1kaXNwbGF5LmMub2xkCTIwMDUtMDItMTQgMTc6MDk6MDMuMDAwMDAwMDAwICswMTAwCisr
KyBhZGRyZXNzYm9vay9ndWkvd2lkZ2V0cy9lYWItY29udGFjdC1kaXNwbGF5LmMJMjAwNS0wOC0w
MiAxMzozODoyMS4wMDAwMDAwMDAgKzAyMDAKQEAgLTMzOCw3ICszMzgsNyBAQCByZW5kZXJfY29u
dGFjdCAoR3RrSFRNTFN0cmVhbSAqaHRtbF9zdHJlCiAJYWNjdW1fYXR0cmlidXRlIChhY2N1bSwg
Y29udGFjdCwgXygiWWFob28iKSwgRV9DT05UQUNUX0lNX1lBSE9PX0hPTUVfMSwgWUFIT09fSUNP
TiwgMCk7CiAKIAlpZiAoYWNjdW0tPmxlbiA+IDApCi0JCWd0a19odG1sX3N0cmVhbV9wcmludGYg
KGh0bWxfc3RyZWFtLCBhY2N1bS0+c3RyKTsKKwkJZ3RrX2h0bWxfc3RyZWFtX3ByaW50ZiAoaHRt
bF9zdHJlYW0sICIlcyIsIGFjY3VtLT5zdHIpOwogCiAJZW5kX2Jsb2NrIChodG1sX3N0cmVhbSk7
CiAKQEAgLTM1Myw3ICszNTMsNyBAQCByZW5kZXJfY29udGFjdCAoR3RrSFRNTFN0cmVhbSAqaHRt
bF9zdHJlCiAKIAlpZiAoYWNjdW0tPmxlbiA+IDApIHsKIAkJc3RhcnRfYmxvY2sgKGh0bWxfc3Ry
ZWFtLCBfKCJ3b3JrIikpOwotCQlndGtfaHRtbF9zdHJlYW1fcHJpbnRmIChodG1sX3N0cmVhbSwg
YWNjdW0tPnN0cik7CisJCWd0a19odG1sX3N0cmVhbV9wcmludGYgKGh0bWxfc3RyZWFtLCAiJXMi
LCBhY2N1bS0+c3RyKTsKIAkJZW5kX2Jsb2NrIChodG1sX3N0cmVhbSk7CiAJfQogCkBAIC0zNjgs
NyArMzY4LDcgQEAgcmVuZGVyX2NvbnRhY3QgKEd0a0hUTUxTdHJlYW0gKmh0bWxfc3RyZQogCiAJ
aWYgKGFjY3VtLT5sZW4gPiAwKSB7CiAJCXN0YXJ0X2Jsb2NrIChodG1sX3N0cmVhbSwgXygicGVy
c29uYWwiKSk7Ci0JCWd0a19odG1sX3N0cmVhbV9wcmludGYgKGh0bWxfc3RyZWFtLCBhY2N1bS0+
c3RyKTsKKwkJZ3RrX2h0bWxfc3RyZWFtX3ByaW50ZiAoaHRtbF9zdHJlYW0sICIlcyIsIGFjY3Vt
LT5zdHIpOwogCQllbmRfYmxvY2sgKGh0bWxfc3RyZWFtKTsKIAl9CiAKLS0tIGNhbGVuZGFyL2d1
aS9lLWNhbGVuZGFyLXZpZXcuYy5vbGQJMjAwNS0wMi0xNCAxNzowOTowNC4wMDAwMDAwMDAgKzAx
MDAKKysrIGNhbGVuZGFyL2d1aS9lLWNhbGVuZGFyLXZpZXcuYwkyMDA1LTA4LTAyIDE0OjEyOjQ3
LjAwMDAwMDAwMCArMDIwMApAQCAtMTA3NCw3ICsxMDc0LDcgQEAgb25fc2F2ZV9hcyAoR3RrV2lk
Z2V0ICp3aWRnZXQsIGdwb2ludGVyIAogCQlyZXR1cm47CiAJfQogCQotCWZwcmludGYgKGZpbGUs
IGljYWxfc3RyaW5nKTsKKwlmcHJpbnRmIChmaWxlLCAiJXMiLCBpY2FsX3N0cmluZyk7CiAJZ19m
cmVlIChpY2FsX3N0cmluZyk7CiAJZmNsb3NlIChmaWxlKTsKIAotLS0gY2FsZW5kYXIvZ3VpL2Ut
Y2FsZW5kYXItdGFibGUuYy5vbGQJMjAwNC0wOS0yNCAxNzo0OToyNy4wMDAwMDAwMDAgKzAyMDAK
KysrIGNhbGVuZGFyL2d1aS9lLWNhbGVuZGFyLXRhYmxlLmMJMjAwNS0wOC0wMiAxNDoxNToxMi4w
MDAwMDAwMDAgKzAyMDAKQEAgLTEyMTIsNyArMTIxMiw3IEBAIGVfY2FsZW5kYXJfdGFibGVfb25f
c2F2ZV9hcyAoR3RrV2lkZ2V0ICoKIAkJcmV0dXJuOwogCX0KIAkKLQlmcHJpbnRmIChmaWxlLCBp
Y2FsX3N0cmluZyk7CisJZnByaW50ZiAoZmlsZSwgIiVzIiwgaWNhbF9zdHJpbmcpOwogCWdfZnJl
ZSAoaWNhbF9zdHJpbmcpOwogCWZjbG9zZSAoZmlsZSk7CiB9Cg==
------_=_NextPart_001_01C59DB3.BA8A08B4
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
------_=_NextPart_001_01C59DB3.BA8A08B4--
|
|
