Operating System:

Published:

20 March 2003

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

           ESB-2003.0192 -- Core Security Technologies Advisory
      Multiple vulnerabilities in Ximian's Evolution Mail User Agent
                               20 March 2003

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Evolution 1.2.2 and prior
Vendor:                 Ximian
Operating System:       Linux
                        Solaris
Impact:                 Execute Arbitrary Code/Commands
                        Denial of Service
Access Required:        Remote
CVE Names:              CAN-2003-0128, CAN-2003-0129, CAN-2003-0130

Comment: AusCERT has removed the Exploit Code section to prevent false
         positive detection by some mail scanning software. To view this
         section, please reference the online advisory at
         www.coresecurity.com/common/showdoc.php?idx=30

- --------------------------BEGIN INCLUDED TEXT--------------------

                      Core Security Technologies Advisory
                         http://www.coresecurity.com

       Multiple vulnerabilities in Ximian's Evolution Mail User Agent


Date Published: 2003-03-19

Last Update: 2003-03-19

Advisory ID: CORE-20030304-01

Bugtraq IDs: 7117, 7118, 7119

CVE CAN:  CAN-2003-0128 CAN-2003-0129 CAN-2003-0130

Title: Multiple vulnerabilities in Ximian's Evolution Mail User Agent

Class: Input validation error;
       Failure to handle exceptional conditions;
       Information Gathering

Remotely Exploitable: Yes

Locally Exploitable: Yes

Advisory URL:
 http://www.coresecurity.com/common/showdoc.php?idx=309&idxseccion=10

Vendors contacted:

- - Ximian
  . CORE notification: 2003-03-11
  . Notification acknowledged by Ximian: 2003-03-11
  . Fixes added by Ximian to CVS tree: 2003-03-12
  . BID, CVE numbers assigned: 2003-03-18
  . Roll out of fixes: 2003-03-19
  . Advisory published: 2003-03-19

Release Mode: COORDINATED RELEASE

*Vulnerability Description:*

 Ximian Evolution is a personal and workgroup information management
 solution for Linux and UNIX-based systems. The software integrates
 email, calendaring, meeting scheduling, contact management, and task
 lists, in one application. For more information about Ximian
 Evolution visit http://www.ximian.com
 
 Three vulnerabilities were found that could lead to various forms of
 exploitation ranging from denying to users the ability to read email,
 provoke system unstability, bypassing security context checks for
 email content and possibly execution of arbitrary commands on
 vulnerable systems.
 
 The following security vulnerabilities were found:

 [CAN-2003-0128, BID 7117]

 The Evolution mailer accepts UUEncoded content and will
 transparently decode it. By including a specially crafted UUE header
 as part of an otherwise perfectly normal email an attacker has the
 ability to crash Evolution as soon as the mail is parsed. This makes
 it particularly difficult to delete this email from Evolution's GUI
 and prevents a user from reading email until the malicious mail is
 removed from the mailbox.

 All versions of Evolution that include the function
 try_uudecoding in the module mail/mail-format.c are vulnerable.

 [CAN-2003-0129, BID 7118]

 Having the Evolution mailer process mail content UUencoded multiple
 times will cause resource starvation. The MUA will try to allocate
 memory until it dies, possibly leading to system unstability.
 Our example in the technical details section uses email content
 encoded 3 times.

 [CAN-2003-0130, BID 7119]

 By including a specially crafted MIME Content-ID header as part of
 an image/* MIME part, it is possible to include arbitrary data,
 including HTML tags, into the stream that is passed to GTKHtml for
 rendering.

 These vulknerabilities  provides multiple exploitation possibilities
 in the Evolution mailer. Namely, it's possible:

 a) To crash the application. The crash appears to be the result
   of heap corruption, further research on this bug is required
   to demostrate sucessfull exploitation to run arbitrary commands
   on vulnerable systems.

 b) To bypass the "Don't connect to remote hosts to fetch images"
   option.

 c) To execute some bonobo components and pass them arbitrary content,
   included as part of the mail.

*Vulnerable Packages:*

 Evolution 1.2.2 and prior releases are vulnerable, partially or
 wholly to the vulnerabilities in this advisory.

*Solution/Vendor Information/Workaround:*

 Ximian is providing Evolution 1.2.3 on [March 18/March 19]. This
 release resolves all vulnerabilities in this advisory as well as
 other unrelated bugs. The patched code for Evolution that resolves
 these vulnerabilities is also already available in GNOME CVS.

 A workaround for unpatched versions of Evolution to prevent Evolution
 from crashing when viewing messages that exploit these
 vulnerabilities is to go into "View"->"Message Display" and change
 the value to "Show E-mail Source."

 Distribution vendors who provide their own version of Evolution have
 been advised of these issues as well as having been provided the
 patches to fix them. They may provide updated packages for their
 distributions.


*Credits:*

 These vulnerabilities were found by Diego Kelyacoubian, Javier Kohen,
 Alberto Solino, and Juan Vera from Core Security Technologies during
 Bugweek 2003 (March 3-7, 2003).

 We would like to thank Carlos Montero Luque at Ximian for quickly
 addressing our report and coordinating the generation and
 public release of patches and information regarding these
 vulnerabilities.
 
 Thanks also to Jeffrey Stedfast and other members of the Evolution
 development team for the followup and development of the patches to
 close these vulnerabilities.

*Technical Description - Exploit/Concept Code:*

>>> AusCERT has removed this section to prevent false positive  <<<
>>> detection by some mail scanning software.  For full details <<<
>>> please see www.coresecurity.com/common/showdoc.php?idx=309  <<<

*About Core Security Technologies*
 
 Core Security Technologies develops strategic security solutions for
 Fortune 1000 corporations, government agencies and military
 organizations. The company offers information security software and
 services designed to assess risk and protect and manage information assets.
 Headquartered in Boston, MA, Core Security Technologies can be reached at
 617-399-6980 or on the Web at http://www.coresecurity.com.

 To learn more about CORE IMPACT, the first comprehensive penetration
 testing framework, visit http://www.coresecurity.com/products/coreimpact

*DISCLAIMER:*

 The contents of this advisory are copyright (c) 2003 CORE Security
 Technologies and may be distributed freely provided that no fee is
 charged for this distribution and proper credit is given.

$Id: Ximian-Evolution-advisory.txt,v 1.2 2003/03/19 23:05:30 iarce Exp $

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPnoDSCh9+71yA2DNAQGEAQQAmgyxJrPd0Tqi2I1InZGT4/RO679EUbXX
gW2r3dYYS5viWZIY8Jz90CvzRstZLgDuc2u5a5I6A06wcrlUZIvr/8CX9pHWmRgP
rzDBxGIRR7DfZDkQga6c0Y7O0IRCfcxQbpZngzu5tOFXBKEJ1HWlQhTHWGsd0urv
Mq/M+yq3t1g=
=VYjC
-----END PGP SIGNATURE-----