Vigil@nce: fetchmail, buffer overflow in verbose mode
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
When fetchmail is used in verbose mode, an attacker can create an
X.509 certificate with special characters, in order to generate a
buffer overflow.
Severity: 2/4
Consequences: denial of service of client
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 04/02/2010
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The fetchmail program downloads emails from a POP or IMAP server.
The protocol can be encapsulated in SSL.
When fetchmail is used in verbose mode (-vv or -vvv), it calls the
sdump() function to display X.509 certificates. This function
stores characters of the certificate name in an array, with an
hexadecimal format.
However, if the value of a character is superior to 127 (for
example 233), it is displayed with the signed format (for example
"\xFFFFFFE9") instead of the unsigned format ("\xE9"). The
resulting string is thus too long and overflows the array.
When fetchmail is used in verbose mode, an attacker can therefore
create an X.509 certificate with special characters, in order to
generate a buffer overflow, leading to a denial of service and
possibly to code execution.
CHARACTERISTICS
Identifiers: BID-38088, CVE-2010-0562, fetchmail-SA-2010-01,
VIGILANCE-VUL-9408