<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>SIG^2 G-TEC - Gaucho 1.4 Email Client has Buffer Overflow Vulnerability when Receiving Email Headers with Abnormally Long Content-Type Field</title>
<body>
<span class="headertext">SIG^2 Vulnerability Research Advisory</span>
<p/>
<span class="headertext"><h1>Gaucho 1.4 Email Client has Buffer Overflow Vulnerability when Receiving Email Headers with
    Abnormally Long Content-Type Field</h1></span>
by Tan Chew Keong<br>
Release Date: 23 Aug 2004<br>
<p>
<span class="headertext">Summary</span><br>
<br>
<a href="http://homepage1.nifty.com/nakedsoft/">Gaucho</a>
is an Email client developed by NakedSoft for Microsoft Windows platforms.  Gaucho supports SMTP, POP3 and 
other email delivery protocols. Gaucho version 1.4 Build 145 is vulnerable to a buffer overflow when receiving 
malformed emails from a POP3 server.  This vulnerability is triggered if Gaucho receives from the POP3 server, a specially 
crafted email that has an abnormally long string in the <b>Content-Type</b> field of the email header. This string will
overwrite EIP via SEH, and can be exploited to execute arbitrary code.
<p>&nbsp;<br>
<span class="headertext">Tested System</span><br>
<br>
Gaucho 1.4 Build 145 on English Win2K SP4
<p>&nbsp;<br>
<span class="headertext">Details</span><br>
<br>
Gaucho version 1.4 Build 145 is vulnerable to a buffer overflow when receiving malformed emails from a POP3 server.  
This vulnerability is triggered if Gaucho receives from the POP3 server, a specially crafted email that has an abnormally 
long string in the <b>Content-Type</b> field of the email header. This string will overwrite EIP via SEH, 
and can be exploited to execute arbitrary code.  A sample email that will trigger the overflow is shown
below.
<p>
<div class="codeBlk">
<code><pre>
Date: Mon, 09 Aug 2004 19:44:13 +0800
Subject: Testing
To: a@aaaaaa.xxx
From: XX <xx@xxxxxxxx.xxx.xx>
Message-ID: <GM109205179359A000.b76.xx@xxxxxxxx.xxx.xx>
MIME-Version: 1.0
Content-Type: <b><font color="#ff0000">AAAAAAAAAAAAA[approx. 280 chars]...</font></b>; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Mailer: Gaucho Version 1.4.0 Build 145

Testing
.
</pre></code>
</div>
<p>
The following Ollydbg screen capture shows that the EIP was overwritten when an abnormally long string was 
supplied with the Content-Type email header.
<p>&nbsp;<br>
<img src="gaucho140.jpg">
<p>&nbsp;<br>
<span class="headertext">POC Exploit</span><br>
<br>
Proof-of-concept code to validate this vulnerability can be downloaded <a href="gaucho140poc.cpp">here</a>.
<p>&nbsp;<br>
<span class="headertext">Patch</span><br>
<br>
Author has fixed the vulnerability in Version 1.4 <a href="http://homepage1.nifty.com/nakedsoft/Gaucho/Gaucho14.html">
  Build 151</a>.  Users are advised to upgrade to the fixed version.
<p>&nbsp;<br>
<span class="headertext">Disclosure Timeline</span><br>
<br>
09 Aug 04 - Vulnerability Discovered<br>
10 Aug 04 - Initial Vendor Notification (no reply)<br>
12 Aug 04 - Second Vendor Notification<br>
14 Aug 04 - Author replied with fixed version<br>
23 Aug 04 - Public Release<br>
<p>&nbsp;</p>
<span class="headertext">Contacts</span><br>
<br>
For further questions and enquries, email them to the following.
<p />
Overall-in-charge: <a href="mailto:%63%68%65%77%6b%65%6f%6e%67%40%73%65%63%75%72%69%74%79%2E%6F%72%67%2E%73%67">Tan Chew Keong</a>
<p />

<p>

<P><BR>
<span class="footnote">Updated: 23/8/2004</span><BR>
<A href="mailto:%77%65%62%6D%61%73%74%65%72%40%73%65%63%75%72%69%74%79%2E%6F%72%67%2E%73%67" class="smallblackText">webmaster@security.org.sg</A></P>
</body>
</html>