SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#518518

metamail contains multiple format string vulnerabilities

Overview

Multiple format string vulnerabilities in the metamail package could allow a remote attacker to execute arbitrary code on the vulnerable system. An attacker may be able to exploit these vulnerabilities via a specially-crafted email message.

I. Description

The metamail package is one of the first widely adopted packages developed to handle Multipurpose Internet Mail Extensions (MIME) data, and includes a number of programs for handling various MIME types. Although it is mostly historic, it is still in wide deployment in many environments. Two format string vulnerabilities have been discovered in various portions of the metamail codebase. According to an analysis published by Ulf Härnhammar:

    The first format string bug occurs when a message has a "multipart/alternative" media type and one of the body parts has a "Content-Type" header with parameter names or values containing formatting codes. It occurs because of two bad fprintf() statements in the function SaveSquirrelFile() - yes, it's really called that - in metamail.c. [...]

    The second format string bug occurs when a message has encoded non-ASCII characters in the mail headers (as described in RFC 2047), an unknown encoding, and encoded text containing formatting codes. It is caused by a bad printf() statement in the function PrintHeader() in metamail.c. [...]


Although programs included in the metamail package can be invoked explicitly by a user from the command line, they are commonly invoked automatically by a mail reader or intermediate mail handling applications. Examples of such applications include, but are not limited to, virus scanners, spam filtering software, and mail delivery agents such as procmail. This is an important consideration since messages containing malicious code may be automatically or inadvertently passed to metamail in these cases.

NOTE: Proof-of-concept exploit code has been published for this vulnerability.

II. Impact

An attacker may be able to execute code of their choosing on a vulnerable system by introducing a specially-crafted MIME attachment. The code would be executed in the context of the user who invoked the metamail program or mail handling program that launched metamail.

III. Solution

Apply a patch from the vendor


Although the metamail package is unmaintained by the original author, some redistributors have released patches. Please see the Systems Affected section of this document for more details.

Systems Affected

VendorStatusDate NotifiedDate Updated
DebianVulnerable24-Feb-2004
MandrakeSoftVulnerable20-Feb-2004
Red Hat Inc.Vulnerable4-Mar-2004
SGIVulnerable4-Mar-2004
SlackwareVulnerable20-Feb-2004

References


http://secunia.com/advisories/10908/

Credit

Thanks to Ulf Härnhammar for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

Date Public:2004-02-18
Date First Published:2004-02-24
Date Last Updated:2004-03-04
CERT Advisory: 
CVE-ID(s):CAN-2004-0104
NVD-ID(s):CAN-2004-0104
US-CERT Technical Alerts: 
Metric:14.25
Document Revision:10

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader