Remote pine Denial of Service

From: Linus Sjöberg (lsjobergat_private)
Date: Thu Nov 07 2002 - 05:16:13 PST

Next message: bugzillaat_private: "[Full-Disclosure] [RHSA-2002:242-06] Updated kerberos packages available"

Previous message: Wichert Akkerman: "[SECURITY] [DSA-190-1] buffer overflow in Window Maker"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                           Security Advisory

                           23rd October 2002

           Remote pine version 4.44 denial of service

Name:             Pine version 4.44
Arch:             Redhat 7.2 i386
Severity:         Medium
Vendor URL:       http://www.washington.edu/pine/
Author:           Linus Sjöberg (lsjobergat_private)
Vendor notified:  14:th October 2002
Vendor response:  14:th October 2002
Vendor fix:       ??????

Impact:   An attacker can send a fully legal email message with a crafted
	  From-header and thus forcing pine to core dump on startup.
	  The only way to launch pine is manually removing the bad message
	  either directly from the spool, or from another MUA. Until the
	  message has been removed or edited there is no way of accessing
	  the INBOX using pine.


Description
***********

When pine detects an email with a From-header looking like
From: 
"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""@host.fubar
it will die with a segmentation fault. Note that the address is fully
legal, even if quite unusable.

When i reproduced the problem with a pine running within gdb I got the
following backtrack:
#0  0x401ea490 in chunk_free (ar_ptr=0x4029e300, p=0x83b65d8) at 
malloc.c:3231
#1  0x401ea3f4 in __libc_free (mem=0x83b65e0) at malloc.c:3154
#2  0x081ef8e2 in fs_give (block=0xbfffb9b8) at fs_unix.c:60
#3  0x080feb4f in set_index_addr 
    (idata=0xbfffc8c0, field=0x83012d8 "From", 
    addr=0x83b6160, prefix=0x0, width=18, 
    s=0xbfffbd11 
    "\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\b`´:\bX½^?¿ïø\036\b")
    at mailindx.c:4508
#4  0x080fb397 in format_index_line (idata=0xbfffc8c0) at mailindx.c:3376
#5  0x080f9ec4 in build_header_line (state=0x839f260, stream=0x83aba88, 
    msgmap=0x83a17b0, msgno=40) at mailindx.c:2761
#6  0x080f71e3 in update_index (state=0x839f260, screen=0xbfffcb90)
    at mailindx.c:1264
#7  0x080f576c in index_lister (state=0x839f260, cntxt=0x83a8d28, 
    folder=0x839f325 "INBOX", stream=0x83aba88, msgmap=0x83a17b0)
    at mailindx.c:603
#8  0x080f5347 in mail_index_screen (state=0x839f260) at mailindx.c:452
#9  0x081588e6 in main (argc=1, argv=0xbfffddc4) at pine.c:1122
#10 0x40185657 in __libc_start_main (main=0x8156974 <main>, argc=1, 
    ubp_av=0xbfffddc4, init=0x804ab28 <_init>, fini=0x8225c70 <_fini>, 
    rtld_fini=0x4000dcd4 <_dl_fini>, stack_end=0xbfffddbc)
    at ../sysdeps/generic/libc-start.c:129

Since pine dumped core it might be possible to execute code on the victims
machine, but since I am not into those kind of games I leave that part for
others to find out.

The possibility of locking somebody out from his email is important enough
for an advisory+update IMHO.

Fix Information
***************

Washington University replied to my posting within a few hours and
reported that the issue was to be fixed in version 4.50. They have not yet
made such a version publicly available after 1½ month, so I have chosen to
go public with this advisory even if there is no patch yet available.

Next message: bugzillaat_private: "[Full-Disclosure] [RHSA-2002:242-06] Updated kerberos packages available"
Previous message: Wichert Akkerman: "[SECURITY] [DSA-190-1] buffer overflow in Window Maker"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 08:15:28 PST