Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3721
HistoryNov 08, 2002 - 12:00 a.m.

Remote pine Denial of Service

2002-11-0800:00:00
vulners.com
10
JSON
                       Security Advisory

                       23rd October 2002

       Remote pine version 4.44 denial of service

Name: Pine version 4.44
Arch: Redhat 7.2 i386
Severity: Medium
Vendor URL: http://www.washington.edu/pine/
Author: Linus Sjöberg ([email protected])
Vendor notified: 14:th October 2002
Vendor response: 14:th October 2002
Vendor fix: ???

Impact: An attacker can send a fully legal email message with a crafted
From-header and thus forcing pine to core dump on startup.
The only way to launch pine is manually removing the bad message
either directly from the spool, or from another MUA. Until the
message has been removed or edited there is no way of accessing
the INBOX using pine.

Description

When pine detects an email with a From-header looking like
From:
"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""@host.fubar
it will die with a segmentation fault. Note that the address is fully
legal, even if quite unusable.

When i reproduced the problem with a pine running within gdb I got the
following backtrack:
#0 0x401ea490 in chunk_free (ar_ptr=0x4029e300, p=0x83b65d8) at
malloc.c:3231
#1 0x401ea3f4 in __libc_free (mem=0x83b65e0) at malloc.c:3154
#2 0x081ef8e2 in fs_give (block=0xbfffb9b8) at fs_unix.c:60
#3 0x080feb4f in set_index_addr
(idata=0xbfffc8c0, field=0x83012d8 "From",
addr=0x83b6160, prefix=0x0, width=18,
s=0xbfffbd11
"\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\b`´:\bX½^?¿ïø\036\b")
at mailindx.c:4508
#4 0x080fb397 in format_index_line (idata=0xbfffc8c0) at mailindx.c:3376
#5 0x080f9ec4 in build_header_line (state=0x839f260, stream=0x83aba88,
msgmap=0x83a17b0, msgno=40) at mailindx.c:2761
#6 0x080f71e3 in update_index (state=0x839f260, screen=0xbfffcb90)
at mailindx.c:1264
#7 0x080f576c in index_lister (state=0x839f260, cntxt=0x83a8d28,
folder=0x839f325 "INBOX", stream=0x83aba88, msgmap=0x83a17b0)
at mailindx.c:603
#8 0x080f5347 in mail_index_screen (state=0x839f260) at mailindx.c:452
#9 0x081588e6 in main (argc=1, argv=0xbfffddc4) at pine.c:1122
#10 0x40185657 in __libc_start_main (main=0x8156974 <main>, argc=1,
ubp_av=0xbfffddc4, init=0x804ab28 <_init>, fini=0x8225c70 <_fini>,
rtld_fini=0x4000dcd4 <_dl_fini>, stack_end=0xbfffddbc)
at …/sysdeps/generic/libc-start.c:129

Since pine dumped core it might be possible to execute code on the victims
machine, but since I am not into those kind of games I leave that part for
others to find out.

The possibility of locking somebody out from his email is important enough
for an advisory+update IMHO.

Fix Information

Washington University replied to my posting within a few hours and
reported that the issue was to be fixed in version 4.50. They have not yet
made such a version publicly available after 1&#189; month, so I have chosen to
go public with this advisory even if there is no patch yet available.

JSON