7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.926 High
EPSS
Percentile
99.0%
Multiple format string vulnerabilities in the metamail package could allow a remote attacker to execute arbitrary code on the vulnerable system. An attacker may be able to exploit these vulnerabilities via a specially-crafted email message.
The metamail package is one of the first widely adopted packages developed to handle Multipurpose Internet Mail Extensions (MIME) data, and includes a number of programs for handling various MIME types. Although it is mostly historic, it is still in wide deployment in many environments. Two format string vulnerabilities have been discovered in various portions of the metamail codebase. According to an analysis published by Ulf Hรคrnhammar:
The first format string bug occurs when a message has a โmultipart/alternativeโ media type and one of the body parts has a โContent-Typeโ header with parameter names or values containing formatting codes. It occurs because of two bad _fprintf()_
statements in the function _SaveSquirrelFile()_
- yes, itโs really called that - in metamail.c. [โฆ]
The second format string bug occurs when a message has encoded non-ASCII characters in the mail headers (as described in RFC 2047), an unknown encoding, and encoded text containing formatting codes. It is caused by a bad _printf()_
statement in the function _PrintHeader()_
in metamail.c. [โฆ]
Although programs included in the metamail package can be invoked explicitly by a user from the command line, they are commonly invoked automatically by a mail reader or intermediate mail handling applications. Examples of such applications include, but are not limited to, virus scanners, spam filtering software, and mail delivery agents such as procmail
. This is an important consideration since messages containing malicious code may be automatically or inadvertently passed to metamail in these cases.
**NOTE:**Proof-of-concept exploit code has been published for this vulnerability.
An attacker may be able to execute code of their choosing on a vulnerable system by introducing a specially-crafted MIME attachment. The code would be executed in the context of the user who invoked the metamail program or mail handling program that launched metamail.
Apply a patch from the vendor
Although the metamail package is unmaintained by the original author, some redistributors have released patches. Please see the Systems Affected section of this document for more details.
518518
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: February 24, 2004
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The Debian Security Team has released Debian Security Advisory DSA-449 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23518518 Feedback>).
Updated: February 20, 2004
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
MandrakeSoft has published MandrakeSoft Security Advisory MDKSA-2004:014 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23518518 Feedback>).
Updated: March 04, 2004
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Red Hat, Inc. has published Red Hat Security Advisory RHSA-2004:073 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23518518 Feedback>).
Updated: March 04, 2004
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
SGI has published SGI Advanced Linux Environment security update #12 in response to this issue. Users are encouraged to review this bulletin and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23518518 Feedback>).
Updated: February 20, 2004
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The Slackware security team has published Slackware Security Advisory SSA:2004-049-02 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23518518 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
<http://secunia.com/advisories/10908/>
Thanks to Ulf Hรคrnhammar for reporting this vulnerability.
This document was written by Chad R Dougherty.
CVE IDs: | CVE-2004-0104 |
---|---|
Severity Metric: | 14.25 Date Public: |