###################################################################### Application: Popcorn (http://www.ultrafunk.com) Version: All the version, because it is no more supported (however the latest is 1.20) Bug: Multiple vulnerabilities Risk: Remote DoS Author: Auriemma Luigi (e-mail: bugtestat_private) ###################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix 5) Philosophy --- 1) Introduction Popcorn is a good, tiny and easy_to_use mail client that run on Windows. It is really minimized in its functions (you can't send attachments for example), however I found it really useful. Unfortunally now it is not more supported so its development is stopped and every bug found in it cannot be corrected. --- 2) Bug The bugs I have found in this program at the moment are 3 (however I will not publish other bugs about it if I found). The bugs A and C are exploited directly during the mailbox checking so the user cannot see where is the error because the exploit mail is not visible, and he must delete it manually or from another mail client. Let's go: -A- -Process freezed and resources consumption. If an attacker send a mail with the following subject: Subject: \t\t the client try to read the mail but it seems to don't understand this subject so it remain to download the mail. Instead it is freezed, the user can close it from the menu without problem but the process is again executed and it eat some resources (for example my AthlonXP is a bit slow) and the only method to terminate it totally is from the CTRL-ALT-CANC menu or better from a processes management program like ATM or Killprocess. -B- -Buffer overflow in subject field. The client can be crashed when the user want to read a mail with a subject like this: Subject: (at least 490 'A's) I don't think that I must add other about this problem... -C- -Bad managment of the Date field in the mails received. This is an example of how Popcorn reformat a Date field: Date: 1 = 01.01.2000 00:00 Date: 11 = 11.01.2000 00:00 Date: 111 = 20.04.2000 00:00 Date: 1111 = 15.01.2003 00:00 Date: 11111 = 02.06.2030 00:00 Date: 111111 = 02.01.2032 11:03 Date: 1111111 = Crash! So the attacker can crash the Popcorn client sending it a mail with in the Date field an year greater than 2037 (2037 is the maximum date that don't crash tested on my PC) or as I have written before, with 1111111 (or other numeric sequences that crash the client). --- 3) The Code I have attached a simple and tiny exploit that can send a mail with one of the 3 exploits I have showed. The source and the exe is only for Win, because Popcorn run on Win and then the exploit can be emulated with Wine, so why lost time and space (the attachment) for do another version? --- 4) Fix No official fix (program no more supported) and no tricks to fix it temporary. --- 5) Philosophy I'm really hopeful about the full disclosure, because with that "everyone" can know the real effects of an attack, the real danger of a bug, someone can learn a bit of programming (I have learn a bit of C from the source code of some exploits) and it's useful for all the people that are hopeful in this type of disclosure. No secrets! --- Any type of feedback is really welcome! Byez
This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 18:05:35 PDT