>Date: Tue, 11 Aug 1998 13:21:06 -0400
>From: CERT Advisory <cert-advisory@cert.org>
>To: cert-advisory@coal.cert.org
>Subject: CERT Advisory CA-98.10 - mime_buffer_overflows
>Reply-To: cert-advisory-request@cert.org
>Organization: CERT(sm) Coordination Center - +1 412-268-7090
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>============================================================================>CERT*
Advisory CA-98.10
>Original issue date: August 11, 1998
>
>Topic: Buffer Overflow in MIME-aware Mail and News Clients
>
>-
----------------------------------------------------------------------------->
>The CERT Coordination Center has received reports of a vulnerability in some
>MIME-aware mail and news clients.
>
>The CERT/CC team recommends updating any vulnerable mail or news clients
>according to the information provided in Appendix A. In addition, network
>administrators may be able to employ some risk mitigation strategies until
>they are able to update all the vulnerable clients. These strategies are
>described in Appendix B.
>
>We will update this advisory as we receive additional information. Please
>check our advisory files regularly for updates that relate to your site.
>
>As of the publication date of this advisory, we have not received any
>reports indicating this vulnerability has been successfully exploited.
>
>-
----------------------------------------------------------------------------->
>I. Description
>
>A vulnerability in some MIME-aware mail and news clients could allow
>an intruder to execute arbitrary code, crash the system, or gain
>administrative rights on vulnerable systems. The vulnerability has
>been discovered by Marko Laakso and Ari Takanen of the Secure
>Programming Group of the University of Oulu. It has received
>considerable public attention in the media and through reports
>published by Microsoft, Netscape, AUSCERT, CIAC, NTBugTraq, and
>others.
>
>The vulnerability affects a number of mail and news clients in
>addition to the ones which have been the subjects of those reports.
>
>
>II. Impact
>
>An intruder who sends a carefully crafted mail message to a vulnerable
>system can, under some circumstances, cause code of the intruder's
>choosing to be executed on the vulnerable system. Additionally, an
>intruder can cause a vulnerable mail program to crash unexpectedly.
>
>Depending on the operating system on which the mail client is running
>and the privileges of the user running the vulnerable mail client, the
>intruder may be able to crash the entire system. If a privileged user
>reads mail with a vulnerable mail user agent, an intruder can gain
>administrative access to the system.
>
>
>III. Solution
>
> A. Obtain and install a patch for this problem as described in
> Appendix A.
>
>
> B. Until you are able to install the appropriate patch, you may wish
to
> install patches to sendmail or to use procmail filtering as
described> in Appendix B.
>
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>Appendix A - Vendor Information
>
>Below is a list of the vendors who have provided information for this
>advisory. We will update this appendix as we receive additional information.
>If you do not see your vendor's name, the CERT/CC did not hear from that
>vendor. Please contact the vendor directly.
>
>
>Caldera Inc.
>===========>
>Caldera is currently investigating these issues and in the process of
>releasing a fix. Updated RPMs will be uploaded to:
>
> ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/011
>
> 9d2a8ca516c3bbbe920a72d365780fe3 mutt-0.93.1-2.i386.rpm
> a20383c9c6f73aac56731ab65c9525fd mutt-0.93.1-2.src.rpm
>
>
>Data General Corporation
>=======================>
>DG/UX is not vulnerable to this report as it includes no native utilities
with>mime support.
>
>
>Fujitsu
>======>
>Fujitsu's operating system, UXP/V, does not support any mail client
>which can handle MIME encoding/decoding. Therefore, Fujitsu UXP/V is
>not vulnerable.
>
>
>Hewlett-Packard Company
>======================>
>The version of dtmail supplied by HP, as part of HP's CDE product, is
>vulnerable. Patches in process.
>
>
>Iris
>===>
>Iris is aware of this problem and is investigating to determine if Lotus
Notes>is vulnerable.
>
>
>Microsoft Corporation
>====================>
>Previously released information regarding this vulnerability is
>available from Microsoft at
>
> http://www.microsoft.com/security/bulletins/ms98-008.htm
>
>
>NCR
>===>
>No products are affected.
>
>
>NetBSD Foundation
>================>
>The NetBSD Foundation package system contains packages for mutt and pine.
All
>users should upgrade to the latest version of these packages as soon as
>possible. Updated binary packages will become available on the NetBSD FTP
>server as soon as possible, and will be announced on the
>netbsd-announce@netbsd.org list. To join this list, or more information
about
>NetBSD, please see http://www.NetBSD.ORG/
>
>
>Netscape
>=======>
>Previously released information regarding this vulnerability is
>available from Netscape at
>
>http://www.netscape.com/products/security/resources/bugs/longfile.html
>
>
>OpenBSD
>======>Not affected. OpenBSD does not ship any of the affected products.
>
>
>QUALCOMM Incorporated
>====================>
>Eudora Pro Email, Eudora Pro CommCenter and Eudora Light not
>susceptible to buffer overflow security problem
>
>QUALCOMM tested its line of Eudora email software after becoming aware
>of the buffer overflow security problems recently found in Microsoft
>and Netscape email programs. QUALCOMM is pleased to announce that its
>Eudora email products are not susceptible to the types of attacks that
>can harm the computers of users of these other products. QUALCOMM
>tested the latest versions of Eudora Pro and Eudora CommCenter
>versions 4.0, 4.0.1 and 4.1 (beta), as well as Eudora Pro and Eudora
>Light versions 3.0 through 3.0.5 (Windows) and 3.1.3 (Mac). In all
>cases, Eudora does not allow any unauthorized programs to be
>automatically executed on a user's system by exploiting buffer
>overflow flaws.
>
>Internally, Eudora 4.0.1 (shipping) and 4.1 (beta) checks incoming
>header sizes and in particular attachment name lengths and truncates
>where appropriate to avoid buffer overrun. Previous versions of
>Eudora, specifically the Windows Eudora versions 3.0 through 3.0.5 and
>4.0, long attachment names under certain conditions could cause the
>program to terminate prematurely, but most importantly, not in such a
>way as to allow unauthorized execution of code. Upgrading to Windows
>Eudora 4.0.1 or 4.0.2 (both shipping) or 4.1 (beta) resolves that
>particular issue.
>
>An unrelated security issue has recently been made public regarding
>the use of Java scripts and attachments in email messages received by
>Eudora 4.x. Full details of this issue, along with links to Eudora
>Pro 4.0.2 and 4.1 updaters is available at
><http://eudora.qualcomm.com/security.html>. The available Eudora Pro
>4.0.2 and 4.1 updaters correct the potential security risk.
>
>
>The Santa Cruz Operation, Inc. (SCO)
>===================================>
>The following SCO products are not vulnerable:
>
>- - SCO CMW+
>- - SCO Open Desktop / Open Server 3.0, SCO UNIX 3.2v4
>- - SCO OpenServer 5, SCO Internet FastStart
>- - SCO UnixWare 2.1
>
>SCO UnixWare 7 dtmail may be vulnerable - investigation is
>continuing. Pending this investigation, SCO recommends that
>dtmail not be used on UnixWare 7; mail may be safely read
>using mailx or Netscape Navigator.
>
>
>Sun Microsystems, Inc.
>=====================>
>Sun Microsystems is working on patches for the following products:
>
> dtmail
> * CDE versions 1.0.1, 1.0.2 and 1.2.
> * Patches will be available within three weeks
>
> mailtool
> * Openwindows versions 3.0, 3.3, 3.4, 3.5 and 3.6.
> * Patches will be available within one week.
>
>
>University of Washington
>=======================>
>Pursuant to recent reports of vulnerability to mal-formed or malicious
>MIME attachments, the UW Pine Team has corrected a few cases of
>potential buffer overrun in the latest Pine Message System release,
>version 4.02, that might cause Pine to crash when inordinately long
>MIME-header information is encountered.
>
>It has been speculated that these problems could be exploited to allow
>a message sender to execute an arbitrary command on behalf of the
>receiving user, although with no more privilege than the receiving
>user. While the UW Pine Team is not aware of any specific attacks
>involving this bug, they have made a source patch available to address
>this threat.
>
>The source patch is available from:
>
> ftp://ftp.cac.washington.edu/pine/pine4.02A.patch
>
>Or via links found within the Pine Information Center at:
>
> http://www.washington.edu/pine/
>
>The patch is intended for the Pine Mail System version 4.02 (released
>21 July 1998). The file is in context-diff format, and should be
>understood by the "patch" utility. To update Pine 4.02 source,
simply
>copy the patch file into the same directory as the pine4.02 source
>tree and type:
>
> patch -p < pine4.02A.patch
>
>The UW Pine Team strongly encourages sites running version 4.00 or
>greater to upgrade to the latest release, and apply the published
>patch. While versions prior to 4.00 are less sensitive to malicious
>messages, upgrading to version 4.02A (including the patch) is
>recommended.
>
>
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>Appendix B - Risk Mitigation
>
>Although the vulnerability described in this advisory affects mail
>user agents, it may be possible to reduce the risk by modifying mail
>transfer agents to detect the vulnerability before it reaches the mail
>user agent, or by filtering the message.
>
>Below is a list of vendors who have provided us information on
>strategies that can mitigate the risk. Note that these vendors are not
>themselves vulnerable to this problem.
>
>Sendmail, Inc.
>=============>
>Sendmail, Inc. has produced a patch for version 8.9.1 of sendmail
>as a service to their user base to assist system administrators
>in proactively defending against these problems.
>Sites who choose not to install the patch at this time will
>not increase their exposure to the problem in this case.
>
>This patch and installation instructions are available at
>http://www.sendmail.com/sendmail.8.9.1a.html .
>
>Note that the patch is specific to sendmail version 8.9.1 only.
>If you are unable to upgrade to this version, do not attempt to
>use the patch.
>
>John Hardin
>==========>
>John Hardin has modified his procmail Filters Kit to include filters
>which may be able to assist sites in defending against these problems.
>
>More information about the procmail Filters Kit is available at
>
>http://www.wolfenet.com/~jhardin/procmail-kit.html
>
>
>-
----------------------------------------------------------------------------->Our thanks go to Marko Laakso and Ari Takanen of the Secure Programming
>Group of the University of Oulu; Eric Allman and Gregory Shapiro
>of Sendmail, Inc; AUSCERT; DFN-CERT; John Hardin; and Gene Spafford of
>Purdue University for their input.
>-
----------------------------------------------------------------------------->
>NO WARRANTY
>- -----------
>
>Any material furnished by Carnegie Mellon University and the Software
>Engineering Institute is furnished on an "as is" basis. Carnegie
>Mellon University makes no warranties of any kind, either expressed or
>implied as to any matter including, but not limited to, warranty of
>fitness for a particular purpose or merchantability, exclusivity or
>results obtained from use of the material. Carnegie Mellon University
>does not make any warranty of any kind with respect to freedom from
>patent, trademark, or copyright infringement.
>
>- ---------
>
>If you believe that your system has been compromised, contact the CERT
>Coordination Center or your representative in the Forum of Incident
>Response and Security Teams (see http://www.first.org/team-info/).
>
>CERT/CC Contact Information
>- ----------------------------
>Email cert@cert.org
>
>Phone +1 412-268-7090 (24-hour hotline)
> CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
> and are on call for emergencies during other hours.
>
>Fax +1 412-268-6989
>
>Postal address
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> USA
>
>Using encryption
> We strongly urge you to encrypt sensitive information sent by email. We
can> support a shared DES key or PGP. Contact the CERT/CC for more
information.
> Location of CERT PGP key
> ftp://ftp.cert.org/pub/CERT_PGP.key
>
>Getting security information
> CERT publications and other security information are available from
> http://www.cert.org/
> ftp://ftp.cert.org/pub/
>
> CERT advisories and bulletins are also posted on the USENET newsgroup
> comp.security.announce
>
> To be added to our mailing list for advisories and bulletins, send
> email to
> cert-advisory-request@cert.org
> In the subject line, type
> SUBSCRIBE your-email-address
>
>-
---------------------------------------------------------------------------
>
>Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
>and sponsorship information can be found in
>http://www.cert.org/legal_stuff/legal_stuff.html and
>ftp://ftp.cert.org/pub/legal_stuff .
>If you do not have FTP or web access, send mail to cert@cert.org with
>"copyright" in the subject line.
>
>*CERT is registered in the U.S. Patent and Trademark Office.
>
>-
---------------------------------------------------------------------------
>
>This file:
>
> ftp://ftp.cert.org/pub/cert_advisories/CA-98.10.mime_buffer_overflows
>
> http://www.cert.org/advisories/CA-98.10-mime-buffer-overflows.html
>
>
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Revision history
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQCVAwUBNdBl9XVP+x0t4w7BAQFhcQP/TAY8dJ/ooGt6gS4i6dTBW+1bZMKI7s3O
>ohtj79DBfp8rFNhheyu5cGAAW3xksoo5CaeuSdQetjjjemoHo/ejFRIwWW3EWB1W
>Juu7awD066ApN32QbSsKf8/RVbXHDXdBP7P/klSxLxxThb3oMVCW2MOxLadF4aHr
>2CYjRtNWk20>=Czyn
>-----END PGP SIGNATURE-----
>
