exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Netragard Security Advisory 2006-08-10

Netragard Security Advisory 2006-08-10
Posted Oct 24, 2006
Authored by Netragard | Site netragard.com

Netragard, L.L.C Advisory NETRAGARD-20060810 (UPDATE): dtmail suffers from a buffer overflow vulnerability which could result in the execution of arbitrary code. More specifically this vulnerability is triggered when using -a flag:

tags | advisory, overflow, arbitrary
SHA-256 | cb88802b1e79a6bd8af6ec797980b6a411c718a0a876e8bd52cf03e206da577d

Netragard Security Advisory 2006-08-10

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Netragard has updated this advisory with new information provided
by the vendor. This advisory has been updated.


******************** Netragard, L.L.C Advisory* *******************

Strategic Reconnaissance Team
------------------------------------------------
http://www.netragard.com -- "We make I.T. Safe."




[About Netragard]
- ----------------------------------------------------------------------
Netragard is a unique I.T. Security company whose services are fortified
by continual vulnerability research and development. This ongoing
research, which is performed by our Strategic Reconnaissance
Team, specifically focuses on Operating Systems, Software Products and
Web Applications commonly used by businesses internationally. We apply
the knowledge gained by performing this research to our professional
security services. This in turn enables us to produce high quality
deliverables that are the product of talented security professionals and
not those of automated scanners and tools. This advisory is the product
of research done by the Strategic Reconnaissance Team.




[Official URL]
- -------------
http://www.netragard.com/pdfs/research/HP-TRU64-DTMAIL-20060810.txt




[Advisory Information]
- ----------------------------------------------------------------------
Contact : Adriel T. Desautels
Advisory ID : NETRAGARD-20060810
Product Name : dtmail
Product Version : <see operating system>
Vendor Name : Hewlet Packard
Criticality : Local Root Compromise
Effort : Easy
Operating System : HP Tru64 UNIX 5.1B-3
HP Tru64 UNIX 5.1B-2/PK4
HP Tru64 UNIX 5.1A PK6
HP Tru64 UNIX 4.0G PK4
HP Tru64 UNIX 4.0F PK8
HP-UX B.11.23
HP-UX B.11.11
HP-UX B.11.00
Type : Unchecked Buffer


[Product Description]
- ----------------------------------------------------------------------
The dtmail program is a desktop mail application. It provides an easy
to use interface for viewing, filing, composing and sending
electronic mail folders and mail messages.

dtmail provides a GUI-based interface for manipulating electronic mail
messages that can have attachments. Use the interface to compose a
message, view a message or a folder containing messages, load new mail
,copy or move messages from one folder to another, delete messages,
reply to messages, add and delete attachments to a message when
composing, and view the contents of attachments in a message. dtmail
also supplies a mail-pervasive desktop environment by providing a
public Tooltalk API that other clients can use to compose and send
messages.

You can use dtmail as a Post Office Protocol (POP) to connect to mail
servers offering POP services. If you choose this option, you can
also select APOP authentication (if supported by your mail server) to
encrypt your user ID and password during communications with your
network mail server.




[Technical Summary]
- ----------------------------------------------------------------------
dtmail suffers from a buffer overflow vulnerability which could result
in the execution of arbitrary code. More specifically this
vulnerability is triggered when using -a flag:

-a file1 ...fileN

Bring up a Compose window with file1 through fileN as
attachments.




[Technical Details]
- ----------------------------------------------------------------------
This was tested against tru64 version 5.1b using a system (a working
display is required). The following gdb output demonstrates the
vulnerability.

gdb) r -a -a `perl -e 'print "A" x 9000'`
Starting program: /cluster/members/member0/tmp/dtmail -a `perl -e
'print "A"x 9000'`
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...

Program received signal SIGSEGV, Segmentation fault.
warning: Hit heuristic-fence-post without finding
warning: enclosing function for address 0x4141414141414140
This warning occurs if you are debugging a function without any
symbols (for example, in a stripped executable). In that case, you
may wish to increase the size of the search with the `set heuristic-
fence-post' command.

Otherwise, you told GDB there was a function where there isn't one, or
(more likely) you have encountered a bug in GDB.
0x4141414141414140 in ?? ()




[Proof of Concept]
- ----------------------------------------------------------------------
Undisclosed.




[Vendor Status]
- ----------------------------------------------------------------------
HP has released patches for this issue. Please see the vendor notices
for both HP-UX and Tru64 below.

HP-UX:
- ------
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00793091

Tru64:
- ------
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00793805





[ For more information please visit http://www.netragard.com ]



[Disclaimer]
- ---------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect its self against a potentially
dangerous security risk. This advisory is not an attempt to solicit
business.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFFOPvPQwbn1P9Iaa0RAnFuAJ9t4q/sa24To+nXe/9+72g5ed2MqACghwjI
540TXTNCL+uId3sfjq8iaiI=
=lbYF
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close