CERT home
vulnerabilities & fixesevaluations & practicesresearch & analysistraining & education
homesearchFAQsite indexcontact
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

Vulnerability Note VU#5648

Buffer Overflows in various email clients

Overview

Buffer Overflows in several MIME headers affect a large number of electronic mail clients.

I. Description

A variety of electronic mail clients (circa 1998) are vulnerable to buffer overflow attacks in the code that processes MIME headers. See the vendor statements referenced below for details specific to each mail client.

II. Impact

An intruder can crash vulnerable mail clients, or use them to execute arbitrary code with the privileges of the user reading the mail.

If the operating system where the vulnerable program resides does not provide strong memory protection, an intruder who is able to crash the mail clinet may be able to crash the entire operating system.

If a user with administrative access to the system (including Windows 95/Windows 98 users, as well as Unix 'root' or NT 'administrator') an intruder can use the vulnerability to gain administrative access to the system.

III. Solution

Fixing the problem requires modifying each email client with an appropriate patch from the vendor.

There are several things that can be done to mitigate the risk if a patch cannot be installed.

filter at the mail transfer agent (as in sendmail)
filter in procmail
filter in a firewall product

None of these really fix the problem, but they may provide some additional protection. There are at least two downsides, however: 1) performance -- the MTA has to scan each and every message for the problem, potentially becoming a bottleneck. 2) Unless you decode the information completely, you run the risk of overlooking some aspect of the problem. Most classic filtering solutions rely on fingerprints of the problem, rather than interpreting the nature of the information that is being filtered. A common example is the difficulty firewalls face when trying to filter fragmented packets. Unless the firewall implements its own reassembly routines, it may allow inappropriate trafic to pass, or block appropriate traffic.

Systems Affected

VendorStatusDate Updated
Data GeneralUnknown7-Aug-1998
Eric AllmanNot Vulnerable20-Sep-2001
FujitsuNot Vulnerable7-Aug-1998
Hewlett-Packard CompanyVulnerable20-Sep-2001
Lotus SoftwareUnknown28-Aug-2000
Microsoft CorporationVulnerable20-Sep-2001
MuttVulnerable20-Sep-2001
NCRNot Vulnerable7-Aug-1998
NetBSDVulnerable7-Aug-1998
OpenBSDNot Vulnerable20-Sep-2001
Pegasus MailNot Vulnerable11-Aug-1998
QUALCOMMNot Vulnerable7-Aug-1998
Sun Microsystems Inc.Vulnerable7-Aug-1998
The SCO Group (SCO Linux)Vulnerable20-Sep-2001
The SCO Group (SCO UnixWare)Unknown7-Aug-1998

References


http://www.microsoft.com/security/bulletins/ms98-008.htm
http://www.netscape.com/products/security/resources/bugs/longfile.html
http://www.ciac.org/ciac/MIMEfaq.html
http://www.ciac.org/ciac/bulletins/i-077a.shtml
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-98.02.Outlook.buffer.overflow
http://www.sjmercury.com/business/tech/docs/security072898.htm

Credit

This document was written by Shawn V Hernan.

Other Information

Date Public07/27/1998
Date First Published09/20/2001 12:18:54 AM
Date Last Updated04/11/2003
CERT AdvisoryCA-1998-10
CVE Name 
Metric81.00
Document Revision6

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Copyright 2001 Carnegie Mellon University