Vulnerabilities > CVE-2003-0140 - Remote Folder Buffer Overrun vulnerability in Mutt UTF-7 Internationalized

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
mutt
nessus

Summary

Buffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder.

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-268.NASL
    descriptionCore Security Technologies discovered a buffer overflow in the IMAP code of Mutt, a text-oriented mail reader supporting IMAP, MIME, GPG, PGP and threading. This problem allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a specially crafted mail folder.
    last seen2020-06-01
    modified2020-06-02
    plugin id15105
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15105
    titleDebian DSA-268-1 : mutt - buffer overflow
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-268. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15105);
      script_version("1.20");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2003-0140");
      script_bugtraq_id(7120);
      script_xref(name:"DSA", value:"268");
    
      script_name(english:"Debian DSA-268-1 : mutt - buffer overflow");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Core Security Technologies discovered a buffer overflow in the IMAP
    code of Mutt, a text-oriented mail reader supporting IMAP, MIME, GPG,
    PGP and threading. This problem allows a remote malicious IMAP server
    to cause a denial of service (crash) and possibly execute arbitrary
    code via a specially crafted mail folder."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2003/dsa-268"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the mutt package.
    
    For the stable distribution (woody) this problem has been fixed in
    version 1.3.28-2.1.
    
    The old stable distribution (potato) is not affected by this problem."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mutt");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/03/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"mutt", reference:"1.3.28-2.1")) flag++;
    if (deb_check(release:"3.0", prefix:"mutt-utf8", reference:"1.3.28-2.1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2003-111.NASL
    descriptionUpdated Balsa packages are available which fix potential vulnerabilities in the IMAP handling code and in libesmtp. Balsa is a GNOME email client which includes code from Mutt. A potential buffer overflow exists in Balsa versions 1.2 and higher when parsing mailbox names returned by an IMAP server. It is possible that a hostile IMAP server could cause arbitrary code to be executed by the user running Balsa. Additionally, a buffer overflow in libesmtp (an SMTP library used by Balsa) before version 0.8.11 allows a hostile remote SMTP server to execute arbitrary code via a certain response or cause a denial of service via long server responses. Users of Balsa are recommended to upgrade to these erratum packages which include updated versions of Balsa and libesmtp which are not vulnerable to these issues. Red Hat would like to thank CORE security for discovering the vulnerability, and the Mutt team for providing a patch.
    last seen2020-06-01
    modified2020-06-02
    plugin id12382
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12382
    titleRHEL 2.1 : balsa (RHSA-2003:111)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2003:111. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(12382);
      script_version ("1.27");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2002-1090", "CVE-2003-0140");
      script_xref(name:"RHSA", value:"2003:111");
    
      script_name(english:"RHEL 2.1 : balsa (RHSA-2003:111)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated Balsa packages are available which fix potential
    vulnerabilities in the IMAP handling code and in libesmtp.
    
    Balsa is a GNOME email client which includes code from Mutt.
    
    A potential buffer overflow exists in Balsa versions 1.2 and higher
    when parsing mailbox names returned by an IMAP server. It is possible
    that a hostile IMAP server could cause arbitrary code to be executed
    by the user running Balsa.
    
    Additionally, a buffer overflow in libesmtp (an SMTP library used by
    Balsa) before version 0.8.11 allows a hostile remote SMTP server to
    execute arbitrary code via a certain response or cause a denial of
    service via long server responses.
    
    Users of Balsa are recommended to upgrade to these erratum packages
    which include updated versions of Balsa and libesmtp which are not
    vulnerable to these issues.
    
    Red Hat would like to thank CORE security for discovering the
    vulnerability, and the Mutt team for providing a patch."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-1090"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0140"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2003:111"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected balsa, libesmtp and / or libesmtp-devel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:balsa");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libesmtp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libesmtp-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/10/04");
      script_set_attribute(attribute:"patch_publication_date", value:"2003/05/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2003:111";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"balsa-1.2.4-7.7.2")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"libesmtp-0.8.12-0.7.x")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"libesmtp-devel-0.8.12-0.7.x")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "balsa / libesmtp / libesmtp-devel");
      }
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2003-041.NASL
    descriptionA vulnerability was discovered in the mutt text-mode email client in the IMAP code. This vulnerability can be exploited by a malicious IMAP server to crash mutt or even execute arbitrary code with the privilege of the user running mutt. Update : The packages for Mandrake Linux 9.1 and 9.1/PPC were not GPG-signed. This has been fixed and as a result the md5sums have changed. Thanks to Mark Lyda for pointing this out.
    last seen2020-06-01
    modified2020-06-02
    plugin id14025
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14025
    titleMandrake Linux Security Advisory : mutt (MDKSA-2003:041-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2003:041. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14025);
      script_version ("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2003-0140");
      script_xref(name:"MDKSA", value:"2003:041-1");
    
      script_name(english:"Mandrake Linux Security Advisory : mutt (MDKSA-2003:041-1)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Mandrake Linux host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A vulnerability was discovered in the mutt text-mode email client in
    the IMAP code. This vulnerability can be exploited by a malicious IMAP
    server to crash mutt or even execute arbitrary code with the privilege
    of the user running mutt.
    
    Update :
    
    The packages for Mandrake Linux 9.1 and 9.1/PPC were not GPG-signed.
    This has been fixed and as a result the md5sums have changed. Thanks
    to Mark Lyda for pointing this out."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected mutt package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mutt");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/04/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"mutt-1.4.1i-1.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2003_020.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2003:020 (mutt). Mutt is a text-based Mail User Agent (MUA). The IMAP-code of mutt is vulnerable to a buffer overflow that can be exploited by a malicious IMAP-server to crash mutt or even execute arbitrary code with the privileges of the user running mutt. There is no temporary fix known. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command
    last seen2020-06-01
    modified2020-06-02
    plugin id13790
    published2004-07-25
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13790
    titleSUSE-SA:2003:020: mutt
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2003:020
    #
    
    
    if ( ! defined_func("bn_random") ) exit(0);
    
    include("compat.inc");
    
    if(description)
    {
     script_id(13790);
     script_bugtraq_id(7120);
     script_version ("1.15");
     script_cve_id("CVE-2003-0140");
     
     name["english"] = "SUSE-SA:2003:020: mutt";
     
     script_name(english:name["english"]);
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a vendor-supplied security patch" );
     script_set_attribute(attribute:"description", value:
    "The remote host is missing the patch for the advisory SUSE-SA:2003:020 (mutt).
    
    
    Mutt is a text-based Mail User Agent (MUA).
    The IMAP-code of mutt is vulnerable to a buffer overflow that can be
    exploited by a malicious IMAP-server to crash mutt or even execute
    arbitrary code with the privileges of the user running mutt.
    
    There is no temporary fix known.
    
    Please download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, install the package using the command 'rpm -Fhv file.rpm' to apply
    the update." );
     script_set_attribute(attribute:"solution", value:
    "http://www.suse.de/security/2003_020_mutt.html" );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
    
    
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/25");
     script_cvs_date("Date: 2019/10/25 13:36:27");
     script_end_attributes();
    
     
     summary["english"] = "Check for the version of the mutt package";
     script_summary(english:summary["english"]);
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
     family["english"] = "SuSE Local Security Checks";
     script_family(english:family["english"]);
     
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/SuSE/rpm-list");
     exit(0);
    }
    
    include("rpm.inc");
    if ( rpm_check( reference:"mutt-1.3.12i-69", release:"SUSE7.1") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"mutt-1.3.16i-92", release:"SUSE7.2") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"mutt-1.3.22.1i-170", release:"SUSE7.3") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"mutt-1.3.27i-77", release:"SUSE8.0") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"mutt-1.4i-216", release:"SUSE8.1") )
    {
     security_hole(0);
     exit(0);
    }
    if (rpm_exists(rpm:"mutt-", release:"SUSE7.1")
     || rpm_exists(rpm:"mutt-", release:"SUSE7.2")
     || rpm_exists(rpm:"mutt-", release:"SUSE7.3")
     || rpm_exists(rpm:"mutt-", release:"SUSE8.0")
     || rpm_exists(rpm:"mutt-", release:"SUSE8.1") )
    {
     set_kb_item(name:"CVE-2003-0140", value:TRUE);
    }
    

Oval

  • accepted2007-04-25T19:52:22.102-04:00
    classvulnerability
    contributors
    • nameJay Beale
      organizationBastille Linux
    • nameJay Beale
      organizationBastille Linux
    • nameThomas R. Jones
      organizationMaitreya Security
    descriptionBuffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder.
    familyunix
    idoval:org.mitre.oval:def:2
    statusaccepted
    submitted2003-08-18T12:00:00.000-04:00
    titleMutt BO Vulnerability in balsa
    version38
  • accepted2007-04-25T19:52:30.758-04:00
    classvulnerability
    contributors
    • nameJay Beale
      organizationBastille Linux
    • nameThomas R. Jones
      organizationMaitreya Security
    descriptionBuffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder.
    familyunix
    idoval:org.mitre.oval:def:434
    statusaccepted
    submitted2003-08-18T12:00:00.000-04:00
    titleMutt BO Vulnerability
    version38

Redhat

advisories
rhsa
idRHSA-2003:109