Published:
11 August 1998
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-98.131 -- CERT Advisory CA-98.10
Buffer Overflow in MIME-aware Mail and News Clients
12 August 1998
===========================================================================
The CERT Coordination Centre has released the following advisory concerning
a vulnerability in some MIME-aware Mail and News clients. This
vulnerability may allow, under some conditions, remote attackers to gain
the privileges of the user executing the vulnerable Mail or News client.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
CERT* Advisory CA-98.10
Original issue date: August 11, 1998
Topic: Buffer Overflow in MIME-aware Mail and News Clients
- - -----------------------------------------------------------------------------
The CERT Coordination Center has received reports of a vulnerability in some
MIME-aware mail and news clients.
The CERT/CC team recommends updating any vulnerable mail or news clients
according to the information provided in Appendix A. In addition, network
administrators may be able to employ some risk mitigation strategies until
they are able to update all the vulnerable clients. These strategies are
described in Appendix B.
We will update this advisory as we receive additional information. Please
check our advisory files regularly for updates that relate to your site.
As of the publication date of this advisory, we have not received any
reports indicating this vulnerability has been successfully exploited.
- - -----------------------------------------------------------------------------
I. Description
A vulnerability in some MIME-aware mail and news clients could allow
an intruder to execute arbitrary code, crash the system, or gain
administrative rights on vulnerable systems. The vulnerability has
been discovered by Marko Laakso and Ari Takanen of the Secure
Programming Group of the University of Oulu. It has received
considerable public attention in the media and through reports
published by Microsoft, Netscape, AUSCERT, CIAC, NTBugTraq, and
others.
The vulnerability affects a number of mail and news clients in
addition to the ones which have been the subjects of those reports.
II. Impact
An intruder who sends a carefully crafted mail message to a vulnerable
system can, under some circumstances, cause code of the intruder's
choosing to be executed on the vulnerable system. Additionally, an
intruder can cause a vulnerable mail program to crash unexpectedly.
Depending on the operating system on which the mail client is running
and the privileges of the user running the vulnerable mail client, the
intruder may be able to crash the entire system. If a privileged user
reads mail with a vulnerable mail user agent, an intruder can gain
administrative access to the system.
III. Solution
A. Obtain and install a patch for this problem as described in
Appendix A.
B. Until you are able to install the appropriate patch, you may wish to
install patches to sendmail or to use procmail filtering as described
in Appendix B.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Appendix A - Vendor Information
Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear from that
vendor. Please contact the vendor directly.
Caldera Inc.
============
Caldera is currently investigating these issues and in the process of
releasing a fix. Updated RPMs will be uploaded to:
ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/011
9d2a8ca516c3bbbe920a72d365780fe3 mutt-0.93.1-2.i386.rpm
a20383c9c6f73aac56731ab65c9525fd mutt-0.93.1-2.src.rpm
Data General Corporation
========================
DG/UX is not vulnerable to this report as it includes no native utilities with
mime support.
Fujitsu
=======
Fujitsu's operating system, UXP/V, does not support any mail client
which can handle MIME encoding/decoding. Therefore, Fujitsu UXP/V is
not vulnerable.
Hewlett-Packard Company
=======================
The version of dtmail supplied by HP, as part of HP's CDE product, is
vulnerable. Patches in process.
Iris
====
Iris is aware of this problem and is investigating to determine if Lotus Notes
is vulnerable.
Microsoft Corporation
=====================
Previously released information regarding this vulnerability is
available from Microsoft at
http://www.microsoft.com/security/bulletins/ms98-008.htm
NCR
====
No products are affected.
NetBSD Foundation
=================
The NetBSD Foundation package system contains packages for mutt and pine. All
users should upgrade to the latest version of these packages as soon as
possible. Updated binary packages will become available on the NetBSD FTP
server as soon as possible, and will be announced on the
netbsd-announce@netbsd.org list. To join this list, or more information about
NetBSD, please see http://www.NetBSD.ORG/
Netscape
========
Previously released information regarding this vulnerability is
available from Netscape at
http://www.netscape.com/products/security/resources/bugs/longfile.html
OpenBSD
=======
Not affected. OpenBSD does not ship any of the affected products.
QUALCOMM Incorporated
=====================
Eudora Pro Email, Eudora Pro CommCenter and Eudora Light not
susceptible to buffer overflow security problem
QUALCOMM tested its line of Eudora email software after becoming aware
of the buffer overflow security problems recently found in Microsoft
and Netscape email programs. QUALCOMM is pleased to announce that its
Eudora email products are not susceptible to the types of attacks that
can harm the computers of users of these other products. QUALCOMM
tested the latest versions of Eudora Pro and Eudora CommCenter
versions 4.0, 4.0.1 and 4.1 (beta), as well as Eudora Pro and Eudora
Light versions 3.0 through 3.0.5 (Windows) and 3.1.3 (Mac). In all
cases, Eudora does not allow any unauthorized programs to be
automatically executed on a user's system by exploiting buffer
overflow flaws.
Internally, Eudora 4.0.1 (shipping) and 4.1 (beta) checks incoming
header sizes and in particular attachment name lengths and truncates
where appropriate to avoid buffer overrun. Previous versions of
Eudora, specifically the Windows Eudora versions 3.0 through 3.0.5 and
4.0, long attachment names under certain conditions could cause the
program to terminate prematurely, but most importantly, not in such a
way as to allow unauthorized execution of code. Upgrading to Windows
Eudora 4.0.1 or 4.0.2 (both shipping) or 4.1 (beta) resolves that
particular issue.
An unrelated security issue has recently been made public regarding
the use of Java scripts and attachments in email messages received by
Eudora 4.x. Full details of this issue, along with links to Eudora
Pro 4.0.2 and 4.1 updaters is available at
<http://eudora.qualcomm.com/security.html>. The available Eudora Pro
4.0.2 and 4.1 updaters correct the potential security risk.
The Santa Cruz Operation, Inc. (SCO)
====================================
The following SCO products are not vulnerable:
- - - SCO CMW+
- - - SCO Open Desktop / Open Server 3.0, SCO UNIX 3.2v4
- - - SCO OpenServer 5, SCO Internet FastStart
- - - SCO UnixWare 2.1
SCO UnixWare 7 dtmail may be vulnerable - investigation is
continuing. Pending this investigation, SCO recommends that
dtmail not be used on UnixWare 7; mail may be safely read
using mailx or Netscape Navigator.
Sun Microsystems, Inc.
======================
Sun Microsystems is working on patches for the following products:
dtmail
* CDE versions 1.0.1, 1.0.2 and 1.2.
* Patches will be available within three weeks
mailtool
* Openwindows versions 3.0, 3.3, 3.4, 3.5 and 3.6.
* Patches will be available within one week.
University of Washington
========================
Pursuant to recent reports of vulnerability to mal-formed or malicious
MIME attachments, the UW Pine Team has corrected a few cases of
potential buffer overrun in the latest Pine Message System release,
version 4.02, that might cause Pine to crash when inordinately long
MIME-header information is encountered.
It has been speculated that these problems could be exploited to allow
a message sender to execute an arbitrary command on behalf of the
receiving user, although with no more privilege than the receiving
user. While the UW Pine Team is not aware of any specific attacks
involving this bug, they have made a source patch available to address
this threat.
The source patch is available from:
ftp://ftp.cac.washington.edu/pine/pine4.02A.patch
Or via links found within the Pine Information Center at:
http://www.washington.edu/pine/
The patch is intended for the Pine Mail System version 4.02 (released
21 July 1998). The file is in context-diff format, and should be
understood by the "patch" utility. To update Pine 4.02 source, simply
copy the patch file into the same directory as the pine4.02 source
tree and type:
patch -p < pine4.02A.patch
The UW Pine Team strongly encourages sites running version 4.00 or
greater to upgrade to the latest release, and apply the published
patch. While versions prior to 4.00 are less sensitive to malicious
messages, upgrading to version 4.02A (including the patch) is
recommended.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Appendix B - Risk Mitigation
Although the vulnerability described in this advisory affects mail
user agents, it may be possible to reduce the risk by modifying mail
transfer agents to detect the vulnerability before it reaches the mail
user agent, or by filtering the message.
Below is a list of vendors who have provided us information on
strategies that can mitigate the risk. Note that these vendors are not
themselves vulnerable to this problem.
Sendmail, Inc.
==============
Sendmail, Inc. has produced a patch for version 8.9.1 of sendmail
as a service to their user base to assist system administrators
in proactively defending against these problems.
Sites who choose not to install the patch at this time will
not increase their exposure to the problem in this case.
This patch and installation instructions are available at
http://www.sendmail.com/sendmail.8.9.1a.html .
Note that the patch is specific to sendmail version 8.9.1 only.
If you are unable to upgrade to this version, do not attempt to
use the patch.
John Hardin
===========
John Hardin has modified his procmail Filters Kit to include filters
which may be able to assist sites in defending against these problems.
More information about the procmail Filters Kit is available at
http://www.wolfenet.com/~jhardin/procmail-kit.html
- - -----------------------------------------------------------------------------
Our thanks go to Marko Laakso and Ari Takanen of the Secure Programming
Group of the University of Oulu; Eric Allman and Gregory Shapiro
of Sendmail, Inc; AUSCERT; DFN-CERT; John Hardin; and Gene Spafford of
Purdue University for their input.
- - -----------------------------------------------------------------------------
NO WARRANTY
- - -----------
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
- - ---------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (see http://www.first.org/team-info/).
CERT/CC Contact Information
- - ----------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
Using encryption
We strongly urge you to encrypt sensitive information sent by email. We can
support a shared DES key or PGP. Contact the CERT/CC for more information.
Location of CERT PGP key
ftp://ftp.cert.org/pub/CERT_PGP.key
Getting security information
CERT publications and other security information are available from
http://www.cert.org/
ftp://ftp.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for advisories and bulletins, send
email to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
- - ---------------------------------------------------------------------------
Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff/legal_stuff.html and
ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.
*CERT is registered in the U.S. Patent and Trademark Office.
- - ---------------------------------------------------------------------------
This file:
ftp://ftp.cert.org/pub/cert_advisories/CA-98.10.mime_buffer_overflows
http://www.cert.org/advisories/CA-98.10-mime-buffer-overflows.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNdBl9XVP+x0t4w7BAQFhcQP/TAY8dJ/ooGt6gS4i6dTBW+1bZMKI7s3O
ohtj79DBfp8rFNhheyu5cGAAW3xksoo5CaeuSdQetjjjemoHo/ejFRIwWW3EWB1W
Juu7awD066ApN32QbSsKf8/RVbXHDXdBP7P/klSxLxxThb3oMVCW2MOxLadF4aHr
2CYjRtNWk20=
=Czyn
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It will
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNdgSSih9+71yA2DNAQE63gP+NvVGQsXXfQI06+ksG90f7kau0wPQ8Hu6
qUf3Vnvnv/tuLLLuZZIe/YYbegBys1a9As0K3qgnZoQSdQayWKyM8jksNTRjTxz4
psoNX2uI3jDUw14SUEop5Z+F74AAaU3ETOTNtIIezGtAETd8lfJiPF1Z9rxT2hs0
XgEu43lV0HQ=
=FqDT
-----END PGP SIGNATURE-----