CVE-2003-0721
CVSS7.5
发布时间 :2003-09-17 00:00:00
修订时间 :2016-10-17 22:36:53
NMCOPS    

[原文]Integer signedness error in rfc2231_get_param from strings.c in PINE before 4.58 allows remote attackers to execute arbitrary code via an email that causes an out-of-bounds array access using a negative number.


[CNNVD]Pine rfc2231_get_param()远程整数溢出漏洞(CNNVD-200309-012)

        
        Pine是一款开放源代码的EMAIL客户端。
        Pine包含的rfc2231_get_param()函数存在整数溢出问题,远程攻击者可以利用这个漏洞构建恶意邮件,诱使用户访问,以用户进程权限在系统上执行任意指令。
        问题存在于strings.c文件中的rfc2231_get_param()函数,其中声明了64字节大小的字符数组:
        #define RFC2231_MAX 64
        ...
        char *pieces[RFC2231_MAX];
        and indexed by the signed integer variable 'n':
        if(n < RFC2231_MAX){
         pieces[n] = parms->value;
        变量'n'可由攻击者控制,并且可以设置成负值绕过安全检查,通过存储汇编代码在parms->value结构中并覆盖64字节数组,就可能覆盖堆栈中的指令指针,以用户权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:university_of_washington:pine:4.0.4
cpe:/a:university_of_washington:pine:3.98
cpe:/a:university_of_washington:pine:4.30
cpe:/a:university_of_washington:pine:4.52
cpe:/a:university_of_washington:pine:4.0.2
cpe:/a:university_of_washington:pine:4.10
cpe:/a:university_of_washington:pine:4.21
cpe:/a:university_of_washington:pine:4.33
cpe:/a:university_of_washington:pine:4.44
cpe:/a:university_of_washington:pine:4.50
cpe:/a:university_of_washington:pine:4.20
cpe:/a:university_of_washington:pine:4.53
cpe:/a:university_of_washington:pine:4.56

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:503Integer Signedness Error in PINE
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0721
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0721
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200309-012
(官方数据源) CNNVD

- 其它链接及资源

http://lists.grok.org.uk/pipermail/full-disclosure/2003-September/009850.html
(UNKNOWN)  FULLDISC  20030911 Pine: .procmailrc rule against integer overflow
http://marc.info/?l=bugtraq&m=106329356702508&w=2
(UNKNOWN)  BUGTRAQ  20030911 [slackware-security] security issues in pine (SSA:2003-253-01)
http://marc.info/?l=bugtraq&m=106367213400313&w=2
(UNKNOWN)  BUGTRAQ  20030915 remote Pine <= 4.56 exploit fully automatic
http://www.idefense.com/advisory/09.10.03.txt
(VENDOR_ADVISORY)  IDEFENSE  20030910 Two Exploitable Overflows in PINE
http://www.redhat.com/support/errata/RHSA-2003-273.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:273
http://www.redhat.com/support/errata/RHSA-2003-274.html
(UNKNOWN)  REDHAT  RHSA-2003:274

- 漏洞信息

Pine rfc2231_get_param()远程整数溢出漏洞
高危 边界条件错误
2003-09-17 00:00:00 2005-10-20 00:00:00
远程  
        
        Pine是一款开放源代码的EMAIL客户端。
        Pine包含的rfc2231_get_param()函数存在整数溢出问题,远程攻击者可以利用这个漏洞构建恶意邮件,诱使用户访问,以用户进程权限在系统上执行任意指令。
        问题存在于strings.c文件中的rfc2231_get_param()函数,其中声明了64字节大小的字符数组:
        #define RFC2231_MAX 64
        ...
        char *pieces[RFC2231_MAX];
        and indexed by the signed integer variable 'n':
        if(n < RFC2231_MAX){
         pieces[n] = parms->value;
        变量'n'可由攻击者控制,并且可以设置成负值绕过安全检查,通过存储汇编代码在parms->value结构中并覆盖64字节数组,就可能覆盖堆栈中的指令指针,以用户权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Conectiva
        ---------
        Conectiva已经为此发布了一个安全公告(CLA-2003:738)以及相应补丁:
        CLA-2003:738:pine
        链接:
        http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000738

        补丁下载:
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/pine-4.50L-1U70_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/pine-4.50L-1U70_2cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/pine-4.50L-1U80_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/SRPMS/pine-4.50L-1U80_2cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/9/RPMS/pine-4.53L-22751U90_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/9/SRPMS/pine-4.53L-22751U90_1cl.src.rpm
        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2003:273-01)以及相应补丁:
        RHSA-2003:273-01:Updated pine packages fix vulnerabilities
        链接:https://www.redhat.com/support/errata/RHSA-2003-273.html
        补丁下载:
        Red Hat Linux 7.1:
        SRPMS:
        ftp://updates.redhat.com/7.1/en/os/SRPMS/pine-4.44-19.71.0.src.rpm
        i386:
        ftp://updates.redhat.com/7.1/en/os/i386/pine-4.44-19.71.0.i386.rpm
        Red Hat Linux 7.2:
        SRPMS:
        ftp://updates.redhat.com/7.2/en/os/SRPMS/pine-4.44-19.72.0.src.rpm
        i386:
        ftp://updates.redhat.com/7.2/en/os/i386/pine-4.44-19.72.0.i386.rpm
        ia64:
        ftp://updates.redhat.com/7.2/en/os/ia64/pine-4.44-19.72.0.ia64.rpm
        Red Hat Linux 7.3:
        SRPMS:
        ftp://updates.redhat.com/7.3/en/os/SRPMS/pine-4.44-19.73.0.src.rpm
        i386:
        ftp://updates.redhat.com/7.3/en/os/i386/pine-4.44-19.73.0.i386.rpm
        Red Hat Linux 8.0:
        SRPMS:
        ftp://updates.redhat.com/8.0/en/os/SRPMS/pine-4.44-19.80.0.src.rpm
        i386:
        ftp://updates.redhat.com/8.0/en/os/i386/pine-4.44-19.80.0.i386.rpm
        Red Hat Linux 9:
        SRPMS:
        ftp://updates.redhat.com/9/en/os/SRPMS/pine-4.44-19.90.0.src.rpm
        i386:
        ftp://updates.redhat.com/9/en/os/i386/pine-4.44-19.90.0.i386.rpm
        S.u.S.E.
        --------
        S.u.S.E.已经为此发布了一个安全公告(SuSE-SA:2003:037)以及相应补丁:
        SuSE-SA:2003:037:pine
        链接:
        补丁下载:
        Intel i386 Platform:
         SuSE-8.2:
         ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/pine-4.53-109.i586.rpm
         c3d94808af56ac9fcc77bec85733bc47
         patch rpm(s):
         ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/pine-4.53-109.i586.patch.rpm
         fff680da5c283d2d50a44419976881a8
         source rpm(s):
         ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/pine-4.53-109.src.rpm
         327935d468b4cd7794dde00168a901c3
         SuSE-8.1:
         ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/pine-4.44-283.i586.rpm
         63bc3f723537b18a274404c9b30ea784
         patch rpm(s):
         ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/pine-4.44-283.i586.patch.rpm
         1d4711753488a274c8cf168b24c91acf
         source rpm(s):
         ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/pine-4.44-283.src.rpm
         9617c79c854c2b800df476aa515ae351
         SuSE-8.0:
         ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/pine-4.44-281.i386.rpm
         edea9fbbf85a9f922d2b2aa8bf4a14e8
         patch rpm(s):
         ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/pine-4.44-281.i386.patch.rpm
         18c95a919fb8767f3cff10218ce6c08c
         source rpm(s):
         ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/pine-4.44-281.src.rpm
         6bf6b39feed23892faceaa78fd13b751
         SuSE-7.3:
         ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/pine-4.33-280.i386.rpm
         65d24983aa99d276e75ccd557eee557b
         source rpm(s):
         ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/pine-4.33-280.src.rpm
         b0ecee1170d1fdec3b22e98d0941071a
         SuSE-7.2:
         ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/pine-4.33-279.i386.rpm
         574ae6efcf81a53a26d5d19b763f96ab
         source rpm(s):
         ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/pine-4.33-279.src.rpm
         14fbade46db5dbc9c9893cf507d57e4a
         Sparc Platform:
         SuSE-7.3:
         ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/pine-4.33-101.sparc.rpm
         4e90502bfc4ca5b49c20f8a10cb9d473
         s

- 漏洞信息 (F31621)

iDEFENSE Security Advisory 2003-09-10.t (PacketStormID:F31621)
2003-09-11 00:00:00
iDefense Labs  idefense.com
advisory,overflow,vulnerability
CVE-2003-0720,CVE-2003-0721
[点击下载]

iDEFENSE Security Advisory 09.10.03: The PINE mail client has two vulnerabilities that can be exploited by specially crafted e-mails being opened. The first lies in a buffer overflow that exists in the parsing of the message/body type attribute name/value pairs while the second exists via an integer overflow during the parsing of e-mail headers.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 09.10.03:
http://www.idefense.com/advisory/09.10.03.txt
Two Exploitable Overflows in PINE
September 10, 2003

I. BACKGROUND

PINE (The Program for Internet News & Email) is a popular e-mail client
shipped with many Linux and Unix distributions. It was developed at the
University of Washington; more information is available at
http://www.washington.edu/pine/ .

II. DESCRIPTION

PINE contains two exploitable vulnerabilities that can be triggered
when a victim opens a specially crafted email sent by an attacker.

- --- Vulnerability 1: Buffer Overflow ---

A remotely exploitable buffer overflow exists within the parsing of the
message/external-body type attribute name/value pairs. Failure to check
that the length of the longest attribute is less than the space
available allows a maliciously formed e-mail message to overwrite
control structures. Careful modification of these values allows
arbitrary code execution. However, exploitation requires knowledge of
the targeted version of PINE.

A 20kb character array is declared as:

headers.h:
#define SIZEOF_20KBUF (20480)

pine.c:
char tmp_20k_buf[SIZEOF_20KBUF];

The tmp_20k_buf[] array is stored within the .bss section and
referenced with a character pointer 'd'.  The overflow occurs within
the following snippet of code from the display_parameters() routine in
mailview.c:

d = tmp_20k_buf;
if(parmlist = rfc2231_newparmlist(params)){
    while(rfc2231_list_params(parmlist) && d < tmp_20k_buf + 10000){
        sprintf(d, "%-*s: %s\n", longest, parmlist->attrib,
                parmlist->value ? strsquish(tmp_20k_buf + 11000,
                parmlist->value, 100)
                : "");
        d += strlen(d);
    }

Starting at 'd', the code adds spaces to the left of the string as
padding to make the total length of the parameter attribute string
equal to that of the 'longest'. Later displaying the Attribute
name/value pairs. Example:

Access-Type: ftp
        URL: ftp://localhost/pub/interesting.ps

Supplying any attribute name that is over 20kb in length will overflow
the buffer, eventually allowing for arbitrary code execution.


- --- Vulnerability 2: Integer Overflow ---

A remotely exploitable integer overflow exists in the parsing of e-mail
headers, allowing for arbitrary code execution upon the opening of a
malicious e-mail. The vulnerability exists within the
rfc2231_get_param() routine found in the strings.c file. A character
array of size 64 is declared:

#define RFC2231_MAX 64
...
char *pieces[RFC2231_MAX];

and indexed by the signed integer variable 'n':

if(n < RFC2231_MAX){
    pieces[n] = parms->value;

The variable 'n' is attacker-controlled and can be set to contain a
negative value that satisfies the if statement yet references an
out-of-bounds index within the pieces[] array. Arbitrary code execution
is possible by storing assembly code within the parms->value structure
and writing beyond the 64-byte character array, thereby overwriting the
stored instruction pointer on the stack.

III. ANALYSIS

If an attacker were to socially engineer a PINE user into opening a
malformed e-mail message, arbitrary code embedded within can then run
with privileges of the currently logged on user. It would be trivial
for this exploit to be fashioned into a worm, targeting e-mail
addresses found in any readable text files (inbox, etc.).

IV. DETECTION

PINE 4.56 and earlier is vulnerable.

V. VENDOR FIX

PINE 4.58, which fixes both of these issues, is available at
http://www.washington.edu/pine/getpine/ .

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the following identification numbers to these issues:

CAN-2003-0720: Vulnerability 1 - PINE buffer overflow in its handling
of the 'message/external-body' type.
CAN-2003-0721: Vulnerability 2 - PINE integer overflow in MIME header
parsing.

VII. DISCLOSURE TIMELINE

15 AUG 2003      Issues acquired by iDEFENSE
25 AUG 2003      Issues disclosed to pine@cac.washington.edu
25 AUG 2003      Response from Mark Crispin, University of Washington
26 AUG 2003      Issues disclosed to iDEFENSE clients
04 SEP 2003      Issues disclosed to Linux vendors: vendor-sec@lst.de
10 SEP 2003      Coordinated Public Disclosure

VIII. CREDIT

zen-parse (zen-parse@gmx.net) discovered these vulnerabilities.


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world - from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBP19IUfrkky7kqW5PEQJ3awCfY/2ScdjVnZAj9KDzj6QIt8MTkVsAoOWV
4DzDuqzJICAPOFj5DDcq4gZo
=C8eA
-----END PGP SIGNATURE-----

To stop receiving iDEFENSE Security Advisories, reply to this message and put "unsubscribe" in the subject.
    

- 漏洞信息

11774
Pine strings.c rfc2231_get_param Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2003-09-10 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.58 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Pine rfc2231_get_param() Remote Integer Overflow Vulnerability
Boundary Condition Error 8589
Yes No
2003-09-10 12:00:00 2009-07-11 11:56:00
Discovery credited to zen-parse.

- 受影响的程序版本

University of Washington Pine 4.56
University of Washington Pine 4.53
University of Washington Pine 4.52
University of Washington Pine 4.50
University of Washington Pine 4.44
+ EnGarde Secure Linux 1.0.1
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux Advanced Work Station 2.1
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ Sun Cobalt Qube 3
+ Sun Cobalt RaQ 4
+ Sun Cobalt RaQ 550
+ Sun Cobalt RaQ XTR
+ Sun Linux 5.0.7
+ Sun Linux 5.0
University of Washington Pine 4.33
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
- FreeBSD FreeBSD 4.2
+ HP Secure OS software for Linux 1.0
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
University of Washington Pine 4.30
University of Washington Pine 4.21
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux graficas
+ Conectiva Linux ecommerce
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ Slackware Linux 7.1
+ Slackware Linux 7.0
University of Washington Pine 4.20
+ Turbolinux Turbolinux Workstation 6.0
University of Washington Pine 4.10
+ RedHat Linux 6.1 sparc
+ RedHat Linux 6.1 i386
+ RedHat Linux 6.1 alpha
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 alpha
+ RedHat Linux 6.0
+ S.u.S.E. Linux 6.1 alpha
+ S.u.S.E. Linux 6.1
University of Washington Pine 4.0.4
+ RedHat Linux 5.2 sparc
+ RedHat Linux 5.2 i386
+ RedHat Linux 5.2 alpha
University of Washington Pine 4.0.2
University of Washington Pine 3.98
+ S.u.S.E. Linux 5.3
SGI ProPack 2.3
SGI ProPack 2.2.1

- 漏洞讨论

A vulnerability has been reported to be present in the software that may allow a remote attacker to cause an integer overflow condition in order to execute arbitrary code on a vulnerable system. The problem is reported to exist in the rfc2231_get_param() function found in the strings.c file.

Successful exploitation of this issue may allow a remote attacker to execute arbitrary code on a remote system in order to gain unautorized access.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

The vendor has released fixes to address this issue:

Gentoo has released an advisory (200309-10) to address this issue. Affected users are advised to run the following commands to upgrade their pine installation:
emerge sync
emerge pine
emerge clean

Red Hat has released a security advisory (RHSA-2003:273-01) and fixes for this issue. Links to fixed packages may be found in the referenced advisory.

S.u.S.E. has released an advisory (SuSE-SA:2003:037) and fixes for this issue. Links to the fixed packages may be found in the referenced advisory.

Slackware has released an advisory (SSA:2003-253-01) and fixes for this issue. Links to the fixed packages may be found in the referenced advisory.

Guardian Digital has released advisory ESA-20030911-022 with fixes to address this issue. See referenced advisory for additional details.

Conectiva has released advisory CLSA-2003:738 to address this issue.

TurboLinux has released a security advisory (TLSA-2003-57), including fixes to address this issue. Users are advised to upgrade the appropriate packages as soon as possible.

Sun have released fixes to address this issue in Sun Linux 5.0.7. Users
who are affected by this issue are advised to apply relevant fixes as soon
as possible. Please see Sun reference (Sun Linux Support - Sun Linux
Patches (Sun)) for further details regarding obtaining and applying
appropriate fixes.

Red Hat has released advisory RHSA-2003:274-05 to address this issue in their Linux Enterprise software. Relevant patches are available through the Red Hat Network. See the referenced advisory for additional details.

SGI has released an advisory (20031002-01-U) pertaining to their ProPack Linux distribution. The advisory has been released in response to a number of RHSA advisories, and includes a patch (Patch 10027) containing updated RPM packages relating to 22 different BIDS.

Patch 10027 can be obtained via the following link:
http://support.sgi.com/

For information regarding how to obtain individual RPM packages included in Patch 10027, please see the attached advisory.

Sun has released an upgrade for this issue for their Cobalt product line.


University of Washington Pine 3.98

University of Washington Pine 4.0.2

University of Washington Pine 4.0.4

University of Washington Pine 4.10

University of Washington Pine 4.20

University of Washington Pine 4.21

University of Washington Pine 4.30

University of Washington Pine 4.33

University of Washington Pine 4.44

University of Washington Pine 4.50

University of Washington Pine 4.52

University of Washington Pine 4.53

University of Washington Pine 4.56

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站