[ECHO_ADV_42$2006] BufferOverflow in Eremove Client
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/
.OR.ID
ECHO_ADV_42$2006
---------------------------------------------------------------------------
[ECHO_ADV_42$2006] BufferOverflow in Eremove Client
---------------------------------------------------------------------------
Author : Dedi Dwianto
Date : Aug, 01st 2006
Location : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv42-theday-2006.txt
Exploitation : Local
Critical Lvl : High
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Eremove
version : 1.4
URL : http://eremove.sourceforge.net/
Description :
Eremove is a simple application for linux, based on GTK, for logging into
a POP3 mail account, quickly seeing a summary of everything that is there
waiting for you, and previewing/deleteing some or all of those emails
painlessly.
---------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~~~~
The function priview_create used by Eremove is affected by a buffer-overflow
vulnerability which happens when it tries to store the exceeding data
available in the input email in the message_body buffer of only 65534 bytes.
------------------gui.cpp-----------------------------
.....
gint preview_create (int message_num) {
...
GtkWidget *hbox;
GtkWidget *vscrollbar;
char *tmp_pntr;
char tmp_str[255];
char buf[65534];
char message_body[65534];
gint i;
...
}
if (!find_header_field("Date", buf, &date)) {
date = (char *) malloc(strlen("unspecified")*sizeof(char));
strcpy(date, "unspecified");
}
strcpy(message_body, buf);
...
----------------------------------------------------------
POC:
~~~~
Send EMail with Attachment more than 100 KB
and Openwith eremove.
Eremove will be crash.
---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ My Lovely Jessy
~ newbie_hacker@xxxxxxxxxxxxxxx
~ #aikmel #e-c-h-o @irc.dal.net
~ SUPPORT PALESTINE & LEBANON
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------