Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14777
HistoryOct 23, 2006 - 12:00 a.m.

******************** Netragard, L.L.C Advisory ********************

2006-10-2300:00:00
vulners.com
14

******************** Netragard, L.L.C Advisory********************

                 Strategic Reconnaissance Team

          ------------------------------------------------ 
          http://www.netragard.com -- "We make I.T. Safe."

[Advisory Information]

Advisory ID : NETRAGARD-20060810
Product Name : dtmail
Product Version : <see operating system>
Vendor Name : Hewlet Packard
Type of Vulnerability : Privilege Escalation
Effort : Easy
Operating System : HP Tru64 UNIX 5.1B-3
HP Tru64 UNIX 5.1B-2/PK4
HP Tru64 UNIX 5.1A PK6
HP Tru64 UNIX 4.0G PK4
HP Tru64 UNIX 4.0F PK8
HP-UX B.11.23
HP-UX B.11.11
HP-UX B.11.00
Other : Unchecked Buffer

[Product Description]

The dtmail program is a desktop mail application. It provides an easy
-to-use interface for viewing, filing, composing and sending
electronic mail folders and mail messages.

dtmail provides a GUI-based interface for manipulating electronic mail
messages that can have attachments. Use the interface to compose a
message, view a message or a folder containing messages, load new mail
,copy or move messages from one folder to another, delete messages,
reply to messages, add and delete attachments to a message when
composing, and view the contents of attachments in a message. dtmail
also supplies a mail-pervasive desktop environment by providing a
public Tooltalk API that other clients can use to compose and send
messages.

You can use dtmail as a Post Office Protocol (POP) to connect to mail
servers offering POP services. If you choose this option, you can
also select APOP authentication (if supported by your mail server) to
encrypt your user ID and password during communications with your
network mail server.

[Technical Summary]

dtmail suffers from a buffer overflow vulnerability which could result
in the execution of arbitrary code. More specifically this
vulnerability is triggered when using -a flag:

-a file1 …fileN

Bring up a Compose window with file1 through fileN as
attachments.

[Technical Details]

This was tested against tru64 version 5.1b using a system (a working
display is required). The following gdb output demonstrates the
vulnerability.

gdb) r -a -a `perl -e 'print "A" x 9000'`
Starting program: /cluster/members/member0/tmp/dtmail -a `perl -e
'print "A"x 9000'`
(no debugging symbols found)…(no debugging symbols found)…
(no debugging symbols found)…(no debugging symbols found)…
(no debugging symbols found)…(no debugging symbols found)…
(no debugging symbols found)…(no debugging symbols found)…
(no debugging symbols found)…(no debugging symbols found)…
(no debugging symbols found)…(no debugging symbols found)…
(no debugging symbols found)…(no debugging symbols found)…
(no debugging symbols found)…(no debugging symbols found)…
(no debugging symbols found)…(no debugging symbols found)…

Program received signal SIGSEGV, Segmentation fault.
warning: Hit heuristic-fence-post without finding
warning: enclosing function for address 0x4141414141414140
This warning occurs if you are debugging a function without any
symbols (for example, in a stripped executable). In that case, you
may wish to increase the size of the search with the `set heuristic-
fence-post' command.

Otherwise, you told GDB there was a function where there isn't one, or
(more likely) you have encountered a bug in GDB.
0x4141414141414140 in ?? ()

[Proof of Concept]

Undisclosed

[Vendor Status]

Vendor Contacted.

[About Netragard]

Netragard offers specialized application, network security, and
managed security services which enable its clients to take a proactive
security stance. Each of our services is driven by security
professionals who specialize in specific areas of Information
Security. This specialized focus differentiates Netragard from the
competition by enabling Netragard to produce deliverables which are
the product of skilled security professionals and not the product of
automated tools and scripts.

[ For more information please visit http://www.netragard.com ]

[Disclaimer]
---------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.