-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Netragard has updated this advisory with new information provided by the vendor. This advisory has been updated. ******************** Netragard, L.L.C Advisory* ******************* Strategic Reconnaissance Team ------------------------------------------------ http://www.netragard.com -- "We make I.T. Safe." [About Netragard] - ---------------------------------------------------------------------- Netragard is a unique I.T. Security company whose services are fortified by continual vulnerability research and development. This ongoing research, which is performed by our Strategic Reconnaissance Team, specifically focuses on Operating Systems, Software Products and Web Applications commonly used by businesses internationally. We apply the knowledge gained by performing this research to our professional security services. This in turn enables us to produce high quality deliverables that are the product of talented security professionals and not those of automated scanners and tools. This advisory is the product of research done by the Strategic Reconnaissance Team. [Official URL] - ------------- http://www.netragard.com/pdfs/research/HP-TRU64-DTMAIL-20060810.txt [Advisory Information] - ---------------------------------------------------------------------- Contact : Adriel T. Desautels Advisory ID : NETRAGARD-20060810 Product Name : dtmail Product Version : Vendor Name : Hewlet Packard Criticality : Local Root Compromise Effort : Easy Operating System : HP Tru64 UNIX 5.1B-3 HP Tru64 UNIX 5.1B-2/PK4 HP Tru64 UNIX 5.1A PK6 HP Tru64 UNIX 4.0G PK4 HP Tru64 UNIX 4.0F PK8 HP-UX B.11.23 HP-UX B.11.11 HP-UX B.11.00 Type : Unchecked Buffer [Product Description] - ---------------------------------------------------------------------- The dtmail program is a desktop mail application. It provides an easy to use interface for viewing, filing, composing and sending electronic mail folders and mail messages. dtmail provides a GUI-based interface for manipulating electronic mail messages that can have attachments. Use the interface to compose a message, view a message or a folder containing messages, load new mail ,copy or move messages from one folder to another, delete messages, reply to messages, add and delete attachments to a message when composing, and view the contents of attachments in a message. dtmail also supplies a mail-pervasive desktop environment by providing a public Tooltalk API that other clients can use to compose and send messages. You can use dtmail as a Post Office Protocol (POP) to connect to mail servers offering POP services. If you choose this option, you can also select APOP authentication (if supported by your mail server) to encrypt your user ID and password during communications with your network mail server. [Technical Summary] - ---------------------------------------------------------------------- dtmail suffers from a buffer overflow vulnerability which could result in the execution of arbitrary code. More specifically this vulnerability is triggered when using -a flag: -a file1 ...fileN Bring up a Compose window with file1 through fileN as attachments. [Technical Details] - ---------------------------------------------------------------------- This was tested against tru64 version 5.1b using a system (a working display is required). The following gdb output demonstrates the vulnerability. gdb) r -a -a `perl -e 'print "A" x 9000'` Starting program: /cluster/members/member0/tmp/dtmail -a `perl -e 'print "A"x 9000'` (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. warning: Hit heuristic-fence-post without finding warning: enclosing function for address 0x4141414141414140 This warning occurs if you are debugging a function without any symbols (for example, in a stripped executable). In that case, you may wish to increase the size of the search with the `set heuristic- fence-post' command. Otherwise, you told GDB there was a function where there isn't one, or (more likely) you have encountered a bug in GDB. 0x4141414141414140 in ?? () [Proof of Concept] - ---------------------------------------------------------------------- Undisclosed. [Vendor Status] - ---------------------------------------------------------------------- HP has released patches for this issue. Please see the vendor notices for both HP-UX and Tru64 below. HP-UX: - ------ http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00793091 Tru64: - ------ http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00793805 [ For more information please visit http://www.netragard.com ] [Disclaimer] - ---------------------http://www.netragard.com------------------------- Netragard, L.L.C. assumes no liability for the use of the information provided in this advisory. This advisory was released in an effort to help the I.T. community protect its self against a potentially dangerous security risk. This advisory is not an attempt to solicit business. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFOPvPQwbn1P9Iaa0RAnFuAJ9t4q/sa24To+nXe/9+72g5ed2MqACghwjI 540TXTNCL+uId3sfjq8iaiI= =lbYF -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/