Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] mutt mutt_decode_xbit() Buffer Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] mutt mutt_decode_xbit() Buffer Overflow
Date: 8 Sep 2005 14:06:15 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  mutt mutt_decode_xbit() Buffer Overflow
------------------------------------------------------------------------


SUMMARY

" <http://www.mutt.org/> Mutt is a small but very powerful text-based mail 
client for UNIX operating systems."

By sending a maliciously crafted email to the mutt program an attacker can 
cause the program to execute arbitrary code.

DETAILS

The problem is in the mutt attachment/encoding/decoding functions, 
specifically handler.c:mutt_decode_xbit() and the buffer bufi[BUFI_SIZE].

The variable 'l' is used as a counter to reference a position in the 
buffer and under certain circumstances its value can be manipulated and 
becomes much larger than the size of this buffer, thus overwriting other 
memory with many possible consequences.

This counter should never exceed the size and I believe the logic in the 
convert_to_state() function is supposed to reset it to 0, however there is 
a flaw - There are other functions affected in the same way due to 
copy/paste, such as mutt_decode_uuencoded().

Proof of Concept :
Mutt buffer overflow POC.
Discovered by Frank Denis <j@42-networks.com>


-- snip snip --

From test@example.com Tue Jul 12 20:23:31 2005

Date: Tue, 12 Jul 2005 19:33:42 +0900
From: test@example.com
Subject: TEST
To: test@example.com
Content-type: text/plain; charset=ISO-2022-JP

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-- snip snip --

Proof of Concept:
The proof of concept can be found at:  
<http://sightly.net/peter/tmp/mutt-bug> 
http://sightly.net/peter/tmp/mutt-bug.

The last message causes data to be written to addresses bufi[~1300] and 
above, when the size is 1000 (BUFI_SIZE) - this can easily be seen by 
monitoring the counter from gdb or adding printf's. Since this and other 
such experiments cause the propolice canary to get damaged (being right 
next to the return address), it seems very likely for this to be 
exploitable, except on system such as OpenBSD that include ProPolice by 
default.

Possible Fix:
--- handler.c.orig Tue Mar 26 02:49:51 2002
+++ handler.c Wed Aug 10 16:55:02 2005
@@ -95,7 +95,7 @@ static void convert_to_state(iconv_t cd,
     return;
   }
 
- if (cd == (iconv_t)(-1))
+ if (cd == (iconv_t)(-1) || *l >= BUFI_SIZE)
   {
     state_prefix_put (bufi, *l, s);
     *l = 0;


ADDITIONAL INFORMATION

The information has been provided by  <mailto:pvalchev@sightly.net> Peter 
Valchev ,
 <mailto:j@pureftpd.org> Frank Denis.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] mutt mutt_decode_xbit() Buffer Overflow, SecuriTeam <=
Previous by Date:  [REVS] Understanding and Preventing DNS-related Attacks by Phishers, SecuriTeam
Next by Date:  [UNIX] Snort SACK TCP Option Handling DoS, SecuriTeam
Previous by Thread:  [REVS] Understanding and Preventing DNS-related Attacks by Phishers, SecuriTeam
Next by Thread:  [UNIX] Snort SACK TCP Option Handling DoS, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]