Published:
20 March 2000
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2000.055 -- FreeBSD-SA-00:07 [REVISED] mh/nmh/exmh/exmh2 ports allow remote execution of binary code 21 March 2000 =========================================================================== The FreeBSD Security Team has released the following security advisory describing a vulnerability in the nmh/mh MIME header parsing. This vulnerability may allow an attacker to execute arbitrary code by exploiting a buffer overrun in the mhshow command. NOTE: *All* versions of nmh prior to 1.0.3 (as well as MH) contain a vulnerability where incoming mail messages with carefully designed MIME headers may cause the mhshow command to execute arbitrary code. AusCERT is not aware of any exploits of this vulnerability, however MH users and users of older versions of nmh are strongly encouraged to upgrade to nmh 1.0.3. The generic nmh package may be obtain from: ftp://ftp.mhost.com/pub/nmh/ This is the same vulnerability as previously described in AusCERT External Security Bulletin ESB-2000.043 and an update to ESB-2000.047. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:07 Security Advisory FreeBSD, Inc. Topic: mh/nmh/exmh/exmh2 ports allow remote execution of binary code Category: ports Module: mh/nmh/exmh/exmh2 Announced: 2000-03-15 Revised: 2000-03-19 Affects: Ports collection before the correction date. Corrected: [See below for a more complete description] All versions fixed in 4.0-RELEASE. mh: 2000-03-04 nmh: 2000-02-29 exmh: 2000-03-05 exmh2: 2000-03-05 FreeBSD only: NO I. Background MH and its successor NMH are popular Mail User Agents. EXMH and EXMH2 are TCL/TK-based front-ends to the MH system. There are also Japanese-language versions of the MH and EXMH2 ports, but these are developed separately and are not vulnerable to the problem described here. II. Problem Description The mhshow command used for viewing MIME attachments contains a buffer overflow which can be exploited by a specially-crafted email attachment, which will allow the execution of arbitrary code as the local user when the attachment is opened. The *MH ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. The FreeBSD 4.0-RELEASE ports collection is not vulnerable to this problem. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact An attacker who can convince a user to open a hostile MIME attachment sent as part of an email message can execute arbitrary binary code running with the privileges of that user. If you have not chosen to install any of the mh/nmh/exmh/exmh2 ports/packages, then your system is not vulnerable. The Japanese-language version of MH is being actively developed and is believed to have fixed this particular problem over a year ago. Consequently the ja-mh and ja-exmh2 ports are not believed to be vulnerable to this problem. IV. Workaround 1) Remove the mhshow binary, located in /usr/local/bin/mhshow. This will prevent the viewing of MIME attachments from within *mh. 2) Remove the mh/nmh/exmh/exmh2 ports, if you you have installed them. V. Solution The English language version of the MH software is no longer actively developed, and no fix is currently available. It is unknown whether a fix to the problem will be forthcoming - consider upgrading to use NMH instead, which is the designated successor of the MH software. EXMH and EXMH2 can both be compiled to use NMH instead (this is now the default behaviour). It is not necessary to recompile EXMH/EXMH2 after reinstalling NMH. SOLUTION: Remove any old versions of the mail/mh or mail/nmh ports and perform one of the following: 1) Upgrade your entire ports collection and rebuild the mail/nmh port. 2) Reinstall a new package obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/nmh-1.0.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/mail/nmh-1.0.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/mail/nmh-1.0.3.tgz 3) download a new port skeleton for the nmh port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz VI. Revision history v1.0 2000-03-15 Initial release v1.1 2000-03-19 Update to note that the japanese-localized ports are not vulnerable - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBONXFXlUuHi5z0oilAQHQ/QP9FCTFiFlaeSv2ROM46PbDkF6MN39SLTuv DEW6a6wmMU5+YbSTlFLjvYrqYgpjOmM7NMOMhhceVVpoZVMMPonHuJxHWh7YvF2G T4bZcRM3kpRcjXAOQnIiUrgh77zoEmfBysAmHZbNucCmOB5y7UqHI3CM31+geiPR /bsvHCy4U0U= =Odcg - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBONia5ih9+71yA2DNAQF/VgP6AuEj7aeCY7QdG1zJccd+EtxRwo5970GD Yzr+nxfSu8u93vJWVhcnprE1SKXRha52ZQNbrijXa7HE8OZBMQFknmCAaG1zCqNL SGR3sJhPYAMmxYqbb+Fdk8fN7b1eyBy8UbcGLMgW+KEh2/DaeXVVbWBoTCG9tBlh 3IPNKoEtzxw= =aG4w -----END PGP SIGNATURE-----