Vulnerabilities > CVE-2003-0057 - Buffer Overflow vulnerability in Hypermail Message Attachment
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple buffer overflows in Hypermail 2 before 2.1.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code (1) via a long attachment filename that is not properly handled by the hypermail executable, or (2) by connecting to the mail CGI program from an IP address that reverse-resolves to a long hostname.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 7 |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SA_2003_0012.NASL description The remote host is missing the patch for the advisory SUSE-SA:2003:0012 (hypermail). Hypermail is a tool to convert a Unix mail-box file to a set of cross- referenced HTML documents. During an internal source code review done by Thomas Biege several bugs where found in hypermail and its tools. These bugs allow remote code execution, local tmp race conditions, denial-of-service conditions and read access to files belonging to the host hypermail is running on. Additionally the mail CGI program can be abused by spammers as email- relay and should thus be disabled. There is no temporary fix known other then disabling hypermail. Please download and install the new packages from our FTP servers. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command last seen 2020-06-01 modified 2020-06-02 plugin id 13777 published 2004-07-25 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13777 title SUSE-SA:2003:0012: hypermail code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2003:0012 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(13777); script_bugtraq_id(6689, 6690); script_version ("1.15"); script_cve_id("CVE-2003-0057"); name["english"] = "SUSE-SA:2003:0012: hypermail"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2003:0012 (hypermail). Hypermail is a tool to convert a Unix mail-box file to a set of cross- referenced HTML documents. During an internal source code review done by Thomas Biege several bugs where found in hypermail and its tools. These bugs allow remote code execution, local tmp race conditions, denial-of-service conditions and read access to files belonging to the host hypermail is running on. Additionally the mail CGI program can be abused by spammers as email- relay and should thus be disabled. There is no temporary fix known other then disabling hypermail. Please download and install the new packages from our FTP servers. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update." ); script_set_attribute(attribute:"solution", value: "http://www.suse.de/security/2003_12_hypermail.html" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/25"); script_cvs_date("Date: 2019/10/25 13:36:27"); script_end_attributes(); summary["english"] = "Check for the version of the hypermail package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"hypermail-2.0b29-59", release:"SUSE7.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"hypermail-2.1.0-91", release:"SUSE7.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"hypermail-2.1.2-141", release:"SUSE7.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"hypermail-2.1.3-234", release:"SUSE8.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"hypermail-2.1.4-58", release:"SUSE8.1") ) { security_hole(0); exit(0); } if (rpm_exists(rpm:"hypermail-", release:"SUSE7.1") || rpm_exists(rpm:"hypermail-", release:"SUSE7.2") || rpm_exists(rpm:"hypermail-", release:"SUSE7.3") || rpm_exists(rpm:"hypermail-", release:"SUSE8.0") || rpm_exists(rpm:"hypermail-", release:"SUSE8.1") ) { set_kb_item(name:"CVE-2003-0057", value:TRUE); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-248.NASL description Ulf Harnhammar discovered two problems in hypermail, a program to create HTML archives of mailing lists. An attacker could craft a long filename for an attachment that would overflow two buffers when a certain option for interactive use was given, opening the possibility to inject arbitrary code. This code would then be executed under the user id hypermail runs as, mostly as a local user. Automatic and silent use of hypermail does not seem to be affected. The CGI program mail, which is not installed by the Debian package, does a reverse look-up of the user last seen 2020-06-01 modified 2020-06-02 plugin id 15085 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15085 title Debian DSA-248-1 : hypermail - buffer overflows code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-248. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15085); script_version("1.22"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0057"); script_bugtraq_id(6689, 6690); script_xref(name:"DSA", value:"248"); script_name(english:"Debian DSA-248-1 : hypermail - buffer overflows"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Ulf Harnhammar discovered two problems in hypermail, a program to create HTML archives of mailing lists. An attacker could craft a long filename for an attachment that would overflow two buffers when a certain option for interactive use was given, opening the possibility to inject arbitrary code. This code would then be executed under the user id hypermail runs as, mostly as a local user. Automatic and silent use of hypermail does not seem to be affected. The CGI program mail, which is not installed by the Debian package, does a reverse look-up of the user's IP number and copies the resulting hostname into a fixed-size buffer. A specially crafted DNS reply could overflow this buffer, opening the program to an exploit." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-248" ); script_set_attribute( attribute:"solution", value: "Upgrade the hypermail packages. For the stable distribution (woody) this problem has been fixed in version 2.1.3-2.0. For the old stable distribution (potato) this problem has been fixed in version 2.0b25-1.1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hypermail"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/01/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"hypermail", reference:"2.0b25-1.1")) flag++; if (deb_check(release:"3.0", prefix:"hypermail", reference:"2.1.3-2.0")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0042.html
- http://marc.info/?l=bugtraq&m=104369136703903&w=2
- http://secunia.com/advisories/8030
- http://www.debian.org/security/2003/dsa-248
- http://www.securityfocus.com/bid/6689
- http://www.securityfocus.com/bid/6690
- https://exchange.xforce.ibmcloud.com/vulnerabilities/11157
- https://exchange.xforce.ibmcloud.com/vulnerabilities/11158