X41 D-Sec GmbH Security Advisory: X41-2017-004

Multiple Vulnerabilities in tnef
================================

Overview
--------
Confirmed Affected Versions: 1.4.12 and earlier
Confirmed Patched Versions:
Vendor: verdammelt
Vendor URL: https://github.com/verdammelt/tnef/
Vector: File
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/


Summary and Impact
------------------
Multiple Integer Overflows, Type Confusions and Out of Band Reads and
Writes have been discovered in tnef 1.4.12 and earlier. These could
be exploited by tricking a user into opening a malicious winmail.dat file.


Product Description
-------------------
From the Readme.md:
TNEF is a program for unpacking MIME attachments of type
"application/ms-tnef". This is a Microsoft only attachment. Due to the
proliferation of Microsoft Outlook and Exchange mail servers, more and
more mail is encapsulated into this format. The TNEF program allows one
to unpack the attachments which were encapsulated into the TNEF
attachment. Thus alleviating the need to use Microsoft Outlook to view
the attachment. TNEF is mainly tested and used on GNU/Linux and CYGWIN
systems. It 'should' work on other UNIX and UNIX-like systems.



Integer Overflows in Memory Allocator
=====================================
Severity Rating: High
Vector: Local
CVE: Not yet assigned
CVSS Score: 7.0
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary and Impact
------------------
Several Integer Overflows, which can lead to Heap Overflows have been
identified in the functions, which wrap memory allocation.

Workarounds
-----------
None, X41 D-Sec GmbH recommends to update to the latest version.



Type Confusion in src/tnef.c:parse_file()
=========================================
Severity Rating: High
Vector: Local
CVE: Not yet assigned
CVSS Score: 7.0
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary and Impact
------------------
Two type confusions have been identified in the parse_file() function.
These might lead to invalid read and write operations, controlled by an
attacker.

Workarounds
-----------
None, X41 D-Sec GmbH recommends to update to the latest version.



OOB Writes in src/mapi_attr.c:mapi_attr_read()
==============================================
Severity Rating: High
Vector: Local
CVE: Not yet assigned
CVSS Score: High
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary and Impact
------------------
Two OOB Writes have been identified in src/mapi_attr.c:mapi_attr_read().
These might lead to invalid read and write operations, controlled by an
attacker.

Workarounds
-----------
None, X41 D-Sec GmbH recommends to update to the latest version.


Type Confusion in src/file.c:file_add_mapi_attrs()
==================================================
Severity Rating: High
Vector: Local
CVE: Not yet assigned
CVSS Score: 7.0
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary and Impact
------------------
Four type confusions have been identified in the file_add_mapi_attrs()
function. These might lead to invalid read and write operations,
controlled by an attacker.

Workarounds
-----------
None, X41 D-Sec GmbH recommends to update to the latest version.


About X41 D-Sec GmbH
--------------------
X41 D-Sec is a provider of application security services. We focus on
application code reviews, design review and security testing. X41 D-Sec
GmbH was founded in 2015 by Markus Vervier. We support customers in
various industries such as finance, software development and public
institutions.

Timeline
--------
2017-02-17  Issue found
2017-02-19  Vendor contacted
2017-02-20  CVE IDs requested
2017-02-21  Vendor Reply
2017-02-23  Vendor releases patched version
2017-02-23  Advisory released

-- 
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen
T: +49 241 9809418-0, Fax: -9
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989
GeschA$?ftsfA1/4hrer: Markus Vervier