Multiple format string vulnerabilities in the metamail package could allow a remote attacker to execute arbitrary code on the vulnerable system. An attacker may be able to exploit these vulnerabilities via a specially-crafted email message.
The metamail package is one of the first widely adopted packages developed to handle Multipurpose Internet Mail Extensions (MIME) data, and includes a number of programs for handling various MIME types. Although it is mostly historic, it is still in wide deployment in many environments. Two format string vulnerabilities have been discovered in various portions of the metamail codebase. According to an analysis published by Ulf Härnhammar:
The first format string bug occurs when a message has a "multipart/alternative" media type and one of the body parts has a "Content-Type" header with parameter names or values containing formatting codes. It occurs because of two bad fprintf() statements in the function SaveSquirrelFile() - yes, it's really called that - in metamail.c. [...]
An attacker may be able to execute code of their choosing on a vulnerable system by introducing a specially-crafted MIME attachment. The code would be executed in the context of the user who invoked the metamail program or mail handling program that launched metamail.
Apply a patch from the vendor
Thanks to Ulf Härnhammar for reporting this vulnerability.
This document was written by Chad R Dougherty.
|Date First Published:||2004-02-24|
|Date Last Updated:||2004-03-04 18:57 UTC|