Related information

Eremove mail agent buffer overflow

From:	erdc_(at)_echo.or.id <erdc_(at)_echo.or.id>
Date:	07.08.2006
Subject:	[ECHO_ADV_42$2006] BufferOverflow in Eremove Client

\_   _____/\_   ___ \ /   |   \\_____  \
|    __)_ /    \  \//    ~    \/   |   \
|        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
       \/         \/       \/         \/

                                       .OR.ID
ECHO_ADV_42$2006

---------------------------------------------------------------------------
[ECHO_ADV_42$2006] BufferOverflow in Eremove Client
---------------------------------------------------------------------------

Author       : Dedi Dwianto
Date         : Aug, 01st 2006
Location     : Indonesia, Jakarta
Web          : http://advisories.echo.or.id/adv/adv42-theday-2006.txt
Exploitation : Local
Critical Lvl : High
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : Eremove
version     : 1.4
URL         : http://eremove.sourceforge.net/
Description :
Eremove is a simple application for linux, based on GTK, for logging into
a POP3 mail account, quickly seeing a summary of everything that is there
waiting for you, and previewing/deleteing some or all of those emails painlessly.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
The function priview_create  used by Eremove  is affected by a buffer-overflow
vulnerability which happens when it tries to store the exceeding data
available in the input email in the message_body  buffer of only 65534 bytes.

------------------gui.cpp-----------------------------
.....
gint preview_create (int message_num) {
       ...
       GtkWidget       *hbox;
       GtkWidget       *vscrollbar;
       char            *tmp_pntr;
       char            tmp_str[255];
       char            buf[65534];
       char            message_body[65534];
       gint            i;
       ...
               }
       if (!find_header_field("Date", buf, &date)) {
               date = (char *) malloc(strlen("unspecified")*sizeof(char));
               strcpy(date, "unspecified");
       }
       strcpy(message_body, buf);
       ...
----------------------------------------------------------

POC:
~~~~
Send EMail with Attachment more than 100 KB
and Openwith eremove.
Eremove will be crash.
---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ My Lovely Jessy
~ newbie_hacker@yahoogroups.com
~ #aikmel #e-c-h-o @irc.dal.net
~ SUPPORT PALESTINE & LEBANON
---------------------------------------------------------------------------
Contact:
~~~~~~~~

    Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
    Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------