Hi, all (newer??) versions of mutt have got an overflowable buffer in
parse.c. When sending an specially formated Content-Type in the header
you can, when putting special purpose shellcode that doesn't contain any
/ ; \n and spaces execute arbitary code on the mutt running user's system.
The overflows occurs when opening the mailbox containing the malicious email.
So, you don't even have to view that "evil" email for this to work.
Michael Elkins(mutt author) has already been notified.
My personal(non official) patch is included, expect an official
patch(new version?) from him soon.
Use this patch against mutt 0.93(i):
--snip--
--- parse.c.old Tue Jul 28 18:25:50 1998
+++ parse.c Tue Jul 28 18:25:56 1998
@@ -268,7 +268,7 @@
if ((pc = strchr(s, '/')))
{
*pc++ = 0;
- while (*pc && !ISSPACE (*pc) && *pc != ';')
+ while (*pc && !ISSPACE (*pc) && *pc != ';' && i < (SHORT_STRING - 1))
{
buffer[i++] = *pc;
pc++;
--snip--
bye,
paul
--
[ Paul S. Boehm | paulat_private | http://paul.boehm.org/ | infected@irc ]
Money is what gives a programmer his resources. It's an exchange system created
by human beings. It surrounds us. Works for us, binds the economy together.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:09:33 PDT