Metamail Long Character/Non-ASCII Message Parsing System Overflow

2004-02-18T10:16:19
ID OSVDB:4331
Type osvdb
Reporter Ulf Härnhammar()
Modified 2004-02-18T10:16:19

Description

Vulnerability Description

The Metamail fails when parsing the mail headers resulting in a buffer overflow. With a specially crafted mail message containing a header with encoded non-ASCII characters and a long character set name , an attacker can overflow a buffer and execute code on system with privileges of the user, once the message is opened resulting in a loss of confidentiality and/or integrity.

Technical Description

The buffer overflow occurs when a message has encoded non-ASCII characters in the mail headers and the part that names a character set is overly long. The root of this problem is a bad strcpy()statement in the function PrintHeader() in metamail.c. An example of this can be found in the file "testmail3".

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Ulf Harnhammar and various vendors has released a patch to address this vulnerability. See references.

Short Description

The Metamail fails when parsing the mail headers resulting in a buffer overflow. With a specially crafted mail message containing a header with encoded non-ASCII characters and a long character set name , an attacker can overflow a buffer and execute code on system with privileges of the user, once the message is opened resulting in a loss of confidentiality and/or integrity.

References:

Vendor Specific Solution URL: http://www.mandrakesecure.net/en/ftp.php Vendor Specific Solution URL: ftp://ftp.slackware.com/pub/slackware/ Vendor Specific Solution URL: https://rhn.redhat.com/help/latest-up2date.pxt Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:10908 Secunia Advisory ID:11687 Other Solution URL: http://labben.abm.uu.se/~ulha9485/metamail.advisory-data.tar.gz Other Advisory URL: http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0041.html Other Advisory URL: http://packetstormsecurity.nl/0402-advisories/metamailBUGS.txt Keyword: metamail.c,buffer overflow,PrintHeader(),Ulf Harnhammar,metamail ISS X-Force ID: 15247 CVE-2004-0105 CVE-2004-0104 CERT VU: 513062 Bugtraq ID: 9692