search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

metamail contains multiple buffer overflow vulnerabilities

Vulnerability Note VU#513062

Original Release Date: 2004-02-24 | Last Revised: 2004-03-04

Overview

Multiple buffer overflows in the metamail package could allow a remote attacker to execute arbitrary code on a vulnerable system. An attacker may be able to exploit these vulnerabilities via a specially-crafted email message.

Description

The metamail package is one of the first widely adopted packages developed to handle Multipurpose Internet Mail Extensions (MIME) data, and includes a number of programs for handling various MIME types. Although it is mostly historic, it is still in wide deployment in many environments. Two buffer overflows due to incorrect use of strcpy() have been discovered in various portions of the metamail codebase. According to an analysis published by Ulf Härnhammar:

The first buffer overflow occurs when a message has encoded non-ASCII characters in the mail headers and the part that names a character set is overly long. The root of this problem is a bad strcpy() statement in the function PrintHeader() in metamail.c. [...]

The second buffer overflow doesn't occur in the metamail executable, but in the splitmail executable that's generated when you compile the metamail package. This overflow occurs when a message has an overly long Subject header. It is caused by a bad strcpy() statement in the function ShareThisHeader() in splitmail.c. [...]

Although programs included in the metamail package can be invoked explicitly by a user from the command line, they are commonly invoked automatically by a mail reader or intermediate mail handling applications. Examples of such applications include, but are not limited to, virus scanners, spam filtering software, and mail delivery agents such as procmail. This is an important consideration since messages containing malicious code may be automatically or inadvertently passed to metamail in these cases.

NOTE: Proof-of-concept exploit code has been published for this vulnerability.

Impact

An attacker may be able to execute code of their choosing on a vulnerable system by introducing a specially-crafted MIME attachment. The code would be executed in the context of the user who invoked the metamail program or mail handling program that launched metamail.

Solution

Apply a patch from the vendor

Although the metamail package is unmaintained by the original author, some redistributors have released patches. Please see the Systems Affected section of this document for more details.

Vendor Information

513062
 
Expand all

Debian Affected

Updated:  February 24, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Debian Security Team has released Debian Security Advisory DSA-449 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft Affected

Updated:  February 19, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

MandrakeSoft has published MandrakeSoft Security Advisory MDKSA-2004:014 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc. Affected

Updated:  March 04, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Red Hat, Inc. has published Red Hat Security Advisory RHSA-2004:073 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI Affected

Updated:  March 04, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SGI has published SGI Advanced Linux Environment security update #12 in response to this issue. Users are encouraged to review this bulletin and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware Affected

Updated:  February 19, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Slackware security team has published Slackware Security Advisory SSA:2004-049-02 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://secunia.com/advisories/10908/

Acknowledgements

Thanks to Ulf Härnhammar for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

CVE IDs: CVE-2004-0105
Severity Metric: 14.25
Date Public: 2004-02-18
Date First Published: 2004-02-24
Date Last Updated: 2004-03-04 18:56 UTC
Document Revision: 13

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis