metamail format string bugs and buffer overflows


PROGRAM: metamail
VENDOR: Bell Communications Research, Inc. (Bellcore)
DOWNLOAD URLs: ftp://thumper.bellcore.com/pub/nsb/
               http://ftp.funet.fi/pub/unix/mail/metamail/
VULNERABLE VERSIONS: 2.2, 2.4, 2.5, 2.6, 2.7, possibly others
IMMUNE VERSIONS: 2.7 with my patch applied
REFERENCES: CAN-2004-0104 (format string bugs)
            CAN-2004-0105 (buffer overflows)


* DESCRIPTION *


"Metamail is an implementation of MIME, the Multipurpose Internet
Mail Extensions, a proposed standard for multimedia mail on the
Internet. Metamail implements MIME, and also implements extensibility
and configuration via the "mailcap" mechanism described in an
informational RFC that is a companion to the MIME document."

"In general, users will never run metamail directly. Instead,
metamail will be invoked for the user automatically by the user's
mail reading program, whenever a non-text message is to be viewed."

(quoted from the program's documentation)

metamail is one of the packages or ports in SUSE Linux, Debian
GNU/Linux, Slackware Linux, Mandrake Linux, Gentoo Linux, Turbolinux,
PLD Linux, FreeBSD, NetBSD, OpenBSD and old versions of Red Hat
Linux, among others.

There are several newsreaders (tin, slrn, nn), mailreaders (elm)
and antivirus programs (antimime, older versions of AMaViS) that
pass MIME messages from the network directly to metamail.


* SUMMARY *


I have found two format string bugs and two buffer overflows in
metamail.


* TECHNICAL DETAILS *


The first format string bug occurs when a message has a
"multipart/alternative" media type and one of the body parts has a
"Content-Type" header with parameter names or values containing
formatting codes. It occurs because of two bad fprintf() statements
in the function SaveSquirrelFile() - yes, it's really called that -
in metamail.c. The file "testmail1" gives an example of this problem.

The second format string bug occurs when a message has encoded
non-ASCII characters in the mail headers (as described in RFC 2047),
an unknown encoding, and encoded text containing formatting codes. It
is caused by a bad printf() statement in the function PrintHeader()
in metamail.c. An example of this problem can be found in the file
"testmail2".

The first buffer overflow occurs when a message has encoded non-ASCII
characters in the mail headers and the part that names a character
set is overly long. The root of this problem is a bad strcpy()
statement in the function PrintHeader() in metamail.c. An example
of this can be found in the file "testmail3".

The second buffer overflow doesn't occur in the metamail executable,
but in the splitmail executable that's generated when you compile the
metamail package. This overflow occurs when a message has an overly
long Subject header. It is caused by a bad strcpy() statement in
the function ShareThisHeader() in splitmail.c. An example can be
found in the "testmail4.splitmail" file.


* PATCH AND TEST MESSAGES *


I have attached metamail.advisory-data.tar.gz, which contains the
four test messages mentioned above, as well as a patch that corrects
all four issues. The patch is diff'ed against version 2.7.

In case your system administrator doesn't like .tar.gz attachments,
I have also made this file available for downloading at
http://labben.abm.uu.se/~ulha9485/metamail.advisory-data.tar.gz


* TIMELINE *


metamail is unmaintained, so I contacted the vendor-sec list instead.

7 feb: the vendor-sec list (vendor-sec@lst.de) was contacted
9 feb: a coordinated release date was agreed upon
Friday 13 feb (the day of the W2K source leak): CAN references
were posted
18 feb: Slackware released their advisory and updates
18 feb: I release this advisory


* 31337 IRC KIDDIES *


K: "w0w d00d y4 ph0und b0th buphph3r 0v3rphl0wzZz 4nd ph0rm4t
zZztr1ng bugzZz 1n m3t4m41l!!!! buphph3r 0v3rphl0wzZz (th3 0nly
r34l s3cur1ty h0l3) 4r3 d4 k00l3zZzt but ph0rm4t zZztr1ng bugzZz
(th3 0th3r r34l s3cur1ty h0l3) 4r3 r33ly k00l 4zZzw3ll!!!! d0 y4
w4nn4 j01n 0ur h4ck3r gr0up 'h4ck3rzZz phr0m h3ll'??? w3 h4v3 4ll
th3 l4t3zZzt w1nd0wzZz w4r3zZz 4nd w3 h4v3 4 pr3s3nc3 0n 1rc phr0m
6 4m unt1l m1dn1ght c0z 0n3 0ph 0ur m3mb3rzZz' p4r3ntzZz l3t h1m
st4y up l4t3!!!11!1!!!1!!!"

U: "Virgin."


// Ulf Harnhammar
   kses - PHP HTML/XHTML filter (no XSS)
   http://sourceforge.net/projects/kses