X41 D-Sec GmbH Security Advisory: X41-2017-004 Multiple Vulnerabilities in tnef ================================ Overview -------- Confirmed Affected Versions: 1.4.12 and earlier Confirmed Patched Versions: Vendor: verdammelt Vendor URL: https://github.com/verdammelt/tnef/ Vector: File Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/ Summary and Impact ------------------ Multiple Integer Overflows, Type Confusions and Out of Band Reads and Writes have been discovered in tnef 1.4.12 and earlier. These could be exploited by tricking a user into opening a malicious winmail.dat file. Product Description ------------------- From the Readme.md: TNEF is a program for unpacking MIME attachments of type "application/ms-tnef". This is a Microsoft only attachment. Due to the proliferation of Microsoft Outlook and Exchange mail servers, more and more mail is encapsulated into this format. The TNEF program allows one to unpack the attachments which were encapsulated into the TNEF attachment. Thus alleviating the need to use Microsoft Outlook to view the attachment. TNEF is mainly tested and used on GNU/Linux and CYGWIN systems. It 'should' work on other UNIX and UNIX-like systems. Integer Overflows in Memory Allocator ===================================== Severity Rating: High Vector: Local CVE: Not yet assigned CVSS Score: 7.0 CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Summary and Impact ------------------ Several Integer Overflows, which can lead to Heap Overflows have been identified in the functions, which wrap memory allocation. Workarounds ----------- None, X41 D-Sec GmbH recommends to update to the latest version. Type Confusion in src/tnef.c:parse_file() ========================================= Severity Rating: High Vector: Local CVE: Not yet assigned CVSS Score: 7.0 CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Summary and Impact ------------------ Two type confusions have been identified in the parse_file() function. These might lead to invalid read and write operations, controlled by an attacker. Workarounds ----------- None, X41 D-Sec GmbH recommends to update to the latest version. OOB Writes in src/mapi_attr.c:mapi_attr_read() ============================================== Severity Rating: High Vector: Local CVE: Not yet assigned CVSS Score: High CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Summary and Impact ------------------ Two OOB Writes have been identified in src/mapi_attr.c:mapi_attr_read(). These might lead to invalid read and write operations, controlled by an attacker. Workarounds ----------- None, X41 D-Sec GmbH recommends to update to the latest version. Type Confusion in src/file.c:file_add_mapi_attrs() ================================================== Severity Rating: High Vector: Local CVE: Not yet assigned CVSS Score: 7.0 CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Summary and Impact ------------------ Four type confusions have been identified in the file_add_mapi_attrs() function. These might lead to invalid read and write operations, controlled by an attacker. Workarounds ----------- None, X41 D-Sec GmbH recommends to update to the latest version. About X41 D-Sec GmbH -------------------- X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions. Timeline -------- 2017-02-17 Issue found 2017-02-19 Vendor contacted 2017-02-20 CVE IDs requested 2017-02-21 Vendor Reply 2017-02-23 Vendor releases patched version 2017-02-23 Advisory released -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 GeschA$?ftsfA1/4hrer: Markus Vervier