- Ximian . CORE notification: 2003-03-11 . Notification acknowledged by Ximian: 2003-03-11 . Fixes added by Ximian to CVS tree: 2003-03-12 . BID, CVE numbers assigned: 2003-03-18 . Roll out of fixes: 2003-03-19 . Advisory published: 2003-03-19
Release Mode: COORDINATED RELEASE
*Vulnerability Description:*
Ximian Evolution is a personal and workgroup information management solution for Linux and UNIX-based systems. The software integrates email, calendaring, meeting scheduling, contact management, and task lists, in one application. For more information about Ximian Evolution visit http://www.ximian.com
Three vulnerabilities were found that could lead to various forms of exploitation ranging from denying to users the ability to read email, provoke system unstability, bypassing security context checks for email content and possibly execution of arbitrary commands on vulnerable systems.
The following security vulnerabilities were found:
[CAN-2003-0128, BID 7117]
The Evolution mailer accepts UUEncoded content and will transparently decode it. By including a specially crafted UUE header as part of an otherwise perfectly normal email an attacker has the ability to crash Evolution as soon as the mail is parsed. This makes it particularly difficult to delete this email from Evolution's GUI and prevents a user from reading email until the malicious mail is removed from the mailbox.
All versions of Evolution that include the function try_uudecoding in the module mail/mail-format.c are vulnerable.
[CAN-2003-0129, BID 7118]
Having the Evolution mailer process mail content UUencoded multiple times will cause resource starvation. The MUA will try to allocate memory until it dies, possibly leading to system unstability. Our example in the technical details section uses email content encoded 3 times.
[CAN-2003-0130, BID 7119]
By including a specially crafted MIME Content-ID header as part of an image/* MIME part, it is possible to include arbitrary data, including HTML tags, into the stream that is passed to GTKHtml for rendering.
These vulknerabilities provides multiple exploitation possibilities in the Evolution mailer. Namely, it's possible:
a) To crash the application. The crash appears to be the result of heap corruption, further research on this bug is required to demostrate sucessfull exploitation to run arbitrary commands on vulnerable systems.
b) To bypass the "Don't connect to remote hosts to fetch images" option.
c) To execute some bonobo components and pass them arbitrary content, included as part of the mail.
*Vulnerable Packages:*
Evolution 1.2.2 and prior releases are vulnerable, partially or wholly to the vulnerabilities in this advisory.
*Solution/Vendor Information/Workaround:*
Ximian is providing Evolution 1.2.3 on [March 18/March 19]. This release resolves all vulnerabilities in this advisory as well as other unrelated bugs. The patched code for Evolution that resolves these vulnerabilities is also already available in GNOME CVS.
A workaround for unpatched versions of Evolution to prevent Evolution from crashing when viewing messages that exploit these vulnerabilities is to go into "View"->"Message Display" and change the value to "Show E-mail Source."
Distribution vendors who provide their own version of Evolution have been advised of these issues as well as having been provided the patches to fix them. They may provide updated packages for their distributions.
*Credits:*
These vulnerabilities were found by Diego Kelyacoubian, Javier Kohen, Alberto Solino, and Juan Vera from Core Security Technologies during Bugweek 2003 (March 3-7, 2003).
We would like to thank Carlos Montero Luque at Ximian for quickly addressing our report and coordinating the generation and public release of patches and information regarding these vulnerabilities.
Thanks also to Jeffrey Stedfast and other members of the Evolution development team for the followup and development of the patches to close these vulnerabilities.
*Technical Description - Exploit/Concept Code:*
[CAN-2003-0128, BID 7117]
The following email will reproduce this vulnerability, note that an empty line is required before and after the UUE header line.
>From xxx-at-corest.com Wed Mar 5 14:06:02 2003 Subject: xxx From: X X. X To: xxx-at-corest.com Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y" Message-Id: <1046884154.1731.5.camel-at-vaiolin> Mime-Version: 1.0 Date: 05 Mar 2003 14:09:14 -0300
The handle_image() function, located in the module mail/mail-format.c, lacks proper input checking. This function does not escape HTML characters in the string returned by get_cid, which is in turn constructed from the Content-ID MIME header included in the MIME part.
It can be exploited several ways, for instance:
a) The Evolution mailer will crash when a MIME part's Content-ID is referenced from two different object tags via the cid "protocol". The following email will reproduce this vulnerability in Evolution version 1.2.1:
>From xxx-at-corest.com Wed Mar 5 14:06:02 2003 Subject: xxx From: X X. X To: xxx-at-corest.com Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y" Message-Id: <1046884154.1731.5.camel-at-vaiolin> Mime-Version: 1.0 Date: 05 Mar 2003 14:09:14 -0300
c) It is possible to execute bonobo components to handle content types that Evolution mailer does not handle internally (for example audio/ulaw). The following mail uses the Content-ID bug to execute the bonobo-audio-ulaw component (bundled by default with bonobo) and pass it arbitrary content.
>From xxx-at-corest.com Wed Mar 5 14:06:02 2003 Subject: xxx From: X X. X To: xxx-at-corest.com Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y" Message-Id: <1046884154.1731.5.camel-at-vaiolin> Mime-Version: 1.0 Date: 05 Mar 2003 14:09:14 -0300
Core Security Technologies develops strategic security solutions for Fortune 1000 corporations, government agencies and military organizations. The company offers information security software and services designed to assess risk and protect and manage information assets. Headquartered in Boston, MA, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
To learn more about CORE IMPACT, the first comprehensive penetration testing framework, visit http://www.coresecurity.com/products/coreimpact
*DISCLAIMER:*
The contents of this advisory are copyright (c) 2003 CORE Security Technologies and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
-- __________________________ Brooklyn Linux Solutions __________________________ DRM is THEFT - We are the STAKEHOLDERS http://fairuse.nylxs.com
http://www.mrbrklyn.com - Consulting http://www.inns.net <-- Happy Clients http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive or stories and articles from around the net http://www2.mrbrklyn.com/downtown.html - See the New Downtown Brooklyn....
1-718-382-0585 ____________________________ NYLXS: New Yorker Free Software Users Scene Fair Use - because it's either fair use or useless.... NYLXS is a trademark of NYLXS, Inc