BufferOverflow in Eremove Client

2006.08.13
Credit: Dedi Dwianto
Risk: High
Local: Yes
Remote: No
CVE: CVE-2006-4057
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

_ _____/_ ___ / | \_____ | __)_ / // ~ / | | \ ___ Y / | /_______ / ______ /___|_ /_______ / / / / / .OR.ID ECHO_ADV_42$2006 ------------------------------------------------------------------------ --- [ECHO_ADV_42$2006] BufferOverflow in Eremove Client ------------------------------------------------------------------------ --- Author : Dedi Dwianto Date : Aug, 01st 2006 Location : Indonesia, Jakarta Web : http://advisories.echo.or.id/adv/adv42-theday-2006.txt Exploitation : Local Critical Lvl : High ------------------------------------------------------------------------ --- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : Eremove version : 1.4 URL : http://eremove.sourceforge.net/ Description : Eremove is a simple application for linux, based on GTK, for logging into a POP3 mail account, quickly seeing a summary of everything that is there waiting for you, and previewing/deleteing some or all of those emails painlessly. ------------------------------------------------------------------------ --- Vulnerability: ~~~~~~~~~~~~~~~~ The function priview_create used by Eremove is affected by a buffer-overflow vulnerability which happens when it tries to store the exceeding data available in the input email in the message_body buffer of only 65534 bytes. ------------------gui.cpp----------------------------- ..... gint preview_create (int message_num) { ... GtkWidget *hbox; GtkWidget *vscrollbar; char *tmp_pntr; char tmp_str[255]; char buf[65534]; char message_body[65534]; gint i; ... } if (!find_header_field("Date", buf, &date)) { date = (char *) malloc(strlen("unspecified")*sizeof(char)); strcpy(date, "unspecified"); } strcpy(message_body, buf); ... ---------------------------------------------------------- POC: ~~~~ Send EMail with Attachment more than 100 KB and Openwith eremove. Eremove will be crash. ------------------------------------------------------------------------ --- Shoutz: ~~~~~~~ ~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous ~ My Lovely Jessy ~ newbie_hacker (at) yahoogroups (dot) com [email concealed] ~ #aikmel #e-c-h-o @irc.dal.net ~ SUPPORT PALESTINE & LEBANON ------------------------------------------------------------------------ --- Contact: ~~~~~~~~ Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id Homepage: http://theday.echo.or.id/ -------------------------------- [ EOF ] ----------------------------------


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top