83689 2002-11-07 17:15 /75 rader/ Linus Sjöberg <lsjoberg@aland.net>
Importerad: 2002-11-07 17:15 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <2257>
Ärende: Remote pine Denial of Service
------------------------------------------------------------
Security Advisory
23rd October 2002
Remote pine version 4.44 denial of service
Name: Pine version 4.44
Arch: Redhat 7.2 i386
Severity: Medium
Vendor URL: http://www.washington.edu/pine/
Author: Linus Sjöberg (lsjoberg@aland.net)
Vendor notified: 14:th October 2002
Vendor response: 14:th October 2002
Vendor fix: ??????
Impact: An attacker can send a fully legal email message with a crafted
From-header and thus forcing pine to core dump on startup.
The only way to launch pine is manually removing the bad message
either directly from the spool, or from another MUA. Until the
message has been removed or edited there is no way of accessing
the INBOX using pine.
Description
***********
When pine detects an email with a From-header looking like From:
"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""@host.fubar
it will die with a segmentation fault. Note that the address is fully
legal, even if quite unusable.
When i reproduced the problem with a pine running within gdb I got the
following backtrack:
#0 0x401ea490 in chunk_free (ar_ptr=0x4029e300, p=0x83b65d8) at
malloc.c:3231
#1 0x401ea3f4 in __libc_free (mem=0x83b65e0) at malloc.c:3154
#2 0x081ef8e2 in fs_give (block=0xbfffb9b8) at fs_unix.c:60
#3 0x080feb4f in set_index_addr
(idata=0xbfffc8c0, field=0x83012d8 "From",
addr=0x83b6160, prefix=0x0, width=18,
s=0xbfffbd11
"\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\b`´:\bX½^?¿ïø\036\b")
at mailindx.c:4508
#4 0x080fb397 in format_index_line (idata=0xbfffc8c0) at mailindx.c:3376
#5 0x080f9ec4 in build_header_line (state=0x839f260, stream=0x83aba88,
msgmap=0x83a17b0, msgno=40) at mailindx.c:2761
#6 0x080f71e3 in update_index (state=0x839f260, screen=0xbfffcb90)
at mailindx.c:1264
#7 0x080f576c in index_lister (state=0x839f260, cntxt=0x83a8d28,
folder=0x839f325 "INBOX", stream=0x83aba88, msgmap=0x83a17b0)
at mailindx.c:603
#8 0x080f5347 in mail_index_screen (state=0x839f260) at mailindx.c:452
#9 0x081588e6 in main (argc=1, argv=0xbfffddc4) at pine.c:1122
#10 0x40185657 in __libc_start_main (main=0x8156974 <main>, argc=1,
ubp_av=0xbfffddc4, init=0x804ab28 <_init>, fini=0x8225c70 <_fini>,
rtld_fini=0x4000dcd4 <_dl_fini>, stack_end=0xbfffddbc)
at ../sysdeps/generic/libc-start.c:129
Since pine dumped core it might be possible to execute code on the
victims machine, but since I am not into those kind of games I leave
that part for others to find out.
The possibility of locking somebody out from his email is important
enough for an advisory+update IMHO.
Fix Information
***************
Washington University replied to my posting within a few hours and
reported that the issue was to be fixed in version 4.50. They have
not yet made such a version publicly available after 1½ month, so I
have chosen to go public with this advisory even if there is no patch
yet available.
(83689) /Linus Sjöberg <lsjoberg@aland.net>/(Ombruten)
Kommentar i text 83741 av Erik Parker <eparker@mindsec.com>
83741 2002-11-08 08:31 /23 rader/ Erik Parker <eparker@mindsec.com>
Importerad: 2002-11-08 08:31 av Brevbäraren
Extern mottagare: Linus Sjöberg <lsjoberg@aland.net>
Mottagare: Bugtraq (import) <2278>
Kommentar till text 83689 av Linus Sjöberg <lsjoberg@aland.net>
Ärende: Re: Remote pine Denial of Service
------------------------------------------------------------
Tests positive on Redhat 7.3, False on Solaris x86
> Linus Sjöberg (lsjoberg@aland.net) composed today:
> Security Advisory
>
> 23rd October 2002
>
> Remote pine version 4.44 denial of service
>
> Name: Pine version 4.44
> Arch: Redhat 7.2 i386
> Severity: Medium
> Vendor URL: http://www.washington.edu/pine/
> Author: Linus Sjöberg (lsjoberg@aland.net)
> Vendor notified: 14:th October 2002
> Vendor response: 14:th October 2002
> Vendor fix: ??????
(83741) /Erik Parker <eparker@mindsec.com>/---------
Kommentar i text 83903 av Erik Parker <eparker@mindsec.com>
83903 2002-11-09 18:15 /69 rader/ Erik Parker <eparker@mindsec.com>
Importerad: 2002-11-09 18:15 av Brevbäraren
Extern mottagare: Linus Sjöberg <lsjoberg@aland.net>
Mottagare: Bugtraq (import) <2318>
Kommentar till text 83741 av Erik Parker <eparker@mindsec.com>
Ärende: Re: Remote pine Denial of Service
------------------------------------------------------------
I take that back.. This DOES test positive on Solaris 8 x86, however
not in the inbox for some reason..
If you have the message in your sent-mail, it dumps pine with:
12758: lseek(6, 9616959, SEEK_SET) = 9616959
12758: read(6, " D a t e : T h u , 7".., 584) = 584
12758: Incurred fault #6, FLTBOUNDS %pc = 0xDF9C636A
12758: siginfo: SIGSEGV SEGV_MAPERR addr=0x73646E71
12758: Received signal #11, SIGSEGV [caught]
12758: siginfo: SIGSEGV SEGV_MAPERR addr=0x73646E71
12758: sigaction(SIGILL, 0x08045ADC, 0x08045B30) = 0
12758: sigaction(SIGTRAP, 0x08045ADC, 0x08045B30) = 0
12758: sigaction(SIGEMT, 0x08045ADC, 0x08045B30) = 0
12758: sigaction(SIGBUS, 0x08045ADC, 0x08045B30) = 0
12758: sigaction(SIGSEGV, 0x08045ADC, 0x08045B30) = 0
12758: sigaction(SIGSYS, 0x08045ADC, 0x08045B30) = 0
12758: sigaction(SIGWINCH, 0x08045ADC, 0x08045B30) = 0
12758: sigaction(SIGQUIT, 0x08045ADC, 0x08045B30) = 0
12758: sigaction(SIGTSTP, 0x08045ADC, 0x08045B30) = 0
12758: sigaction(SIGHUP, 0x08045ADC, 0x08045B30) = 0
12758: sigaction(SIGALRM, 0x08045ADC, 0x08045B30) = 0
12758: sigaction(SIGTERM, 0x08045ADC, 0x08045B30) = 0
12758: sigaction(SIGINT, 0x08045ADC, 0x08045B30) = 0
12758: time() = 1036828313
12758: time() = 1036828313
12758: Incurred fault #6, FLTBOUNDS %pc = 0xDF9C5B67
12758: siginfo: SIGSEGV SEGV_MAPERR addr=0x00006D6F
12758: Received signal #11, SIGSEGV [default]
12758: siginfo: SIGSEGV SEGV_MAPERR addr=0x00006D6F
12758: *** process killed ***
---
Erik Parker
---
> Erik Parker (eparker@mindsec.com) composed on Nov 7, 2002:
>
> Tests positive on Redhat 7.3, False on Solaris x86
>
>
> > Linus Sjöberg (lsjoberg@aland.net) composed today:
>
> > Security Advisory
> >
> > 23rd October 2002
> >
> > Remote pine version 4.44 denial of service
> >
> > Name: Pine version 4.44
> > Arch: Redhat 7.2 i386
> > Severity: Medium
> > Vendor URL: http://www.washington.edu/pine/
> > Author: Linus Sjöberg (lsjoberg@aland.net)
> > Vendor notified: 14:th October 2002
> > Vendor response: 14:th October 2002
> > Vendor fix: ??????
>
>
>
(83903) /Erik Parker <eparker@mindsec.com>/(Ombruten)