<<< Date Index >>>     <<< Thread Index >>>

[ECHO_ADV_42$2006] BufferOverflow in Eremove Client



\_   _____/\_   ___ \ /   |   \\_____  \
 |    __)_ /    \  \//    ~    \/   |   \
 |        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
        \/         \/       \/         \/

                                        .OR.ID
ECHO_ADV_42$2006

---------------------------------------------------------------------------
[ECHO_ADV_42$2006] BufferOverflow in Eremove Client
---------------------------------------------------------------------------

Author       : Dedi Dwianto
Date         : Aug, 01st 2006
Location     : Indonesia, Jakarta
Web          : http://advisories.echo.or.id/adv/adv42-theday-2006.txt
Exploitation : Local 
Critical Lvl : High
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : Eremove
version     : 1.4
URL         : http://eremove.sourceforge.net/
Description :
Eremove is a simple application for linux, based on GTK, for logging into 
a POP3 mail account, quickly seeing a summary of everything that is there 
waiting for you, and previewing/deleteing some or all of those emails 
painlessly.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
The function priview_create  used by Eremove  is affected by a buffer-overflow
vulnerability which happens when it tries to store the exceeding data
available in the input email in the message_body  buffer of only 65534 bytes.

------------------gui.cpp-----------------------------
.....
gint preview_create (int message_num) {
        ...
        GtkWidget       *hbox;
        GtkWidget       *vscrollbar;
        char            *tmp_pntr;
        char            tmp_str[255];
        char            buf[65534];
        char            message_body[65534];
        gint            i;
        ...
                }
        if (!find_header_field("Date", buf, &date)) {
                date = (char *) malloc(strlen("unspecified")*sizeof(char));
                strcpy(date, "unspecified");
        }
        strcpy(message_body, buf);
        ...
----------------------------------------------------------

POC:
~~~~
Send EMail with Attachment more than 100 KB
and Openwith eremove.
Eremove will be crash.
---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ My Lovely Jessy
~ newbie_hacker@xxxxxxxxxxxxxxx
~ #aikmel #e-c-h-o @irc.dal.net
~ SUPPORT PALESTINE & LEBANON
---------------------------------------------------------------------------
Contact:
~~~~~~~~

     Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------