AOH :: HP Unsorted B :: B06-4046.HTM

Eremove Client Buffer overflow



BufferOverflow in Eremove Client
BufferOverflow in Eremove Client



\_   _____/\_   ___ \ /   |   \\_____  \
 |    __)_ /    \  \//    ~    \/   |   \
 |        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
        \/         \/       \/         \/

                                        .OR.ID
ECHO_ADV_42$2006

---------------------------------------------------------------------------
[ECHO_ADV_42$2006] BufferOverflow in Eremove Client
---------------------------------------------------------------------------

Author       : Dedi Dwianto
Date         : Aug, 01st 2006
Location     : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv42-theday-2006.txt
Exploitation : Local
Critical Lvl : High
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : Eremove
version     : 1.4
URL : http://eremove.sourceforge.net/
Description :
Eremove is a simple application for linux, based on GTK, for logging into
a POP3 mail account, quickly seeing a summary of everything that is there
waiting for you, and previewing/deleteing some or all of those emails painlessly.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
The function priview_create  used by Eremove  is affected by a buffer-overflow
vulnerability which happens when it tries to store the exceeding data
available in the input email in the message_body  buffer of only 65534 bytes.

------------------gui.cpp-----------------------------
.....
gint preview_create (int message_num) {
        ...
        GtkWidget       *hbox;
        GtkWidget       *vscrollbar;
        char            *tmp_pntr;
        char            tmp_str[255];
        char            buf[65534];
        char            message_body[65534];
        gint            i;
        ...
                }
        if (!find_header_field("Date", buf, &date)) {
                date = (char *) malloc(strlen("unspecified")*sizeof(char));
                strcpy(date, "unspecified");
        }
        strcpy(message_body, buf);
        ...
----------------------------------------------------------

POC:
~~~~
Send EMail with Attachment more than 100 KB
and Openwith eremove.
Eremove will be crash.
---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ My Lovely Jessy
~ newbie_hacker@yahoogroups.com
~ #aikmel #e-c-h-o @irc.dal.net
~ SUPPORT PALESTINE & LEBANON
---------------------------------------------------------------------------
Contact:
~~~~~~~~

     Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.