Vulnerabilities > CVE-2003-0140 - Remote Folder Buffer Overrun vulnerability in Mutt UTF-7 Internationalized
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 9 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-268.NASL description Core Security Technologies discovered a buffer overflow in the IMAP code of Mutt, a text-oriented mail reader supporting IMAP, MIME, GPG, PGP and threading. This problem allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a specially crafted mail folder. last seen 2020-06-01 modified 2020-06-02 plugin id 15105 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15105 title Debian DSA-268-1 : mutt - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-268. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15105); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0140"); script_bugtraq_id(7120); script_xref(name:"DSA", value:"268"); script_name(english:"Debian DSA-268-1 : mutt - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Core Security Technologies discovered a buffer overflow in the IMAP code of Mutt, a text-oriented mail reader supporting IMAP, MIME, GPG, PGP and threading. This problem allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a specially crafted mail folder." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-268" ); script_set_attribute( attribute:"solution", value: "Upgrade the mutt package. For the stable distribution (woody) this problem has been fixed in version 1.3.28-2.1. The old stable distribution (potato) is not affected by this problem." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mutt"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/03/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"mutt", reference:"1.3.28-2.1")) flag++; if (deb_check(release:"3.0", prefix:"mutt-utf8", reference:"1.3.28-2.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-111.NASL description Updated Balsa packages are available which fix potential vulnerabilities in the IMAP handling code and in libesmtp. Balsa is a GNOME email client which includes code from Mutt. A potential buffer overflow exists in Balsa versions 1.2 and higher when parsing mailbox names returned by an IMAP server. It is possible that a hostile IMAP server could cause arbitrary code to be executed by the user running Balsa. Additionally, a buffer overflow in libesmtp (an SMTP library used by Balsa) before version 0.8.11 allows a hostile remote SMTP server to execute arbitrary code via a certain response or cause a denial of service via long server responses. Users of Balsa are recommended to upgrade to these erratum packages which include updated versions of Balsa and libesmtp which are not vulnerable to these issues. Red Hat would like to thank CORE security for discovering the vulnerability, and the Mutt team for providing a patch. last seen 2020-06-01 modified 2020-06-02 plugin id 12382 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12382 title RHEL 2.1 : balsa (RHSA-2003:111) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2003:111. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12382); script_version ("1.27"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2002-1090", "CVE-2003-0140"); script_xref(name:"RHSA", value:"2003:111"); script_name(english:"RHEL 2.1 : balsa (RHSA-2003:111)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated Balsa packages are available which fix potential vulnerabilities in the IMAP handling code and in libesmtp. Balsa is a GNOME email client which includes code from Mutt. A potential buffer overflow exists in Balsa versions 1.2 and higher when parsing mailbox names returned by an IMAP server. It is possible that a hostile IMAP server could cause arbitrary code to be executed by the user running Balsa. Additionally, a buffer overflow in libesmtp (an SMTP library used by Balsa) before version 0.8.11 allows a hostile remote SMTP server to execute arbitrary code via a certain response or cause a denial of service via long server responses. Users of Balsa are recommended to upgrade to these erratum packages which include updated versions of Balsa and libesmtp which are not vulnerable to these issues. Red Hat would like to thank CORE security for discovering the vulnerability, and the Mutt team for providing a patch." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2002-1090" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0140" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2003:111" ); script_set_attribute( attribute:"solution", value:"Update the affected balsa, libesmtp and / or libesmtp-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:balsa"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libesmtp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libesmtp-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/10/04"); script_set_attribute(attribute:"patch_publication_date", value:"2003/05/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2003:111"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"balsa-1.2.4-7.7.2")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"libesmtp-0.8.12-0.7.x")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"libesmtp-devel-0.8.12-0.7.x")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "balsa / libesmtp / libesmtp-devel"); } }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-041.NASL description A vulnerability was discovered in the mutt text-mode email client in the IMAP code. This vulnerability can be exploited by a malicious IMAP server to crash mutt or even execute arbitrary code with the privilege of the user running mutt. Update : The packages for Mandrake Linux 9.1 and 9.1/PPC were not GPG-signed. This has been fixed and as a result the md5sums have changed. Thanks to Mark Lyda for pointing this out. last seen 2020-06-01 modified 2020-06-02 plugin id 14025 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14025 title Mandrake Linux Security Advisory : mutt (MDKSA-2003:041-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:041. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14025); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2003-0140"); script_xref(name:"MDKSA", value:"2003:041-1"); script_name(english:"Mandrake Linux Security Advisory : mutt (MDKSA-2003:041-1)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "A vulnerability was discovered in the mutt text-mode email client in the IMAP code. This vulnerability can be exploited by a malicious IMAP server to crash mutt or even execute arbitrary code with the privilege of the user running mutt. Update : The packages for Mandrake Linux 9.1 and 9.1/PPC were not GPG-signed. This has been fixed and as a result the md5sums have changed. Thanks to Mark Lyda for pointing this out." ); script_set_attribute(attribute:"solution", value:"Update the affected mutt package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mutt"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2003/04/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"mutt-1.4.1i-1.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_SA_2003_020.NASL description The remote host is missing the patch for the advisory SUSE-SA:2003:020 (mutt). Mutt is a text-based Mail User Agent (MUA). The IMAP-code of mutt is vulnerable to a buffer overflow that can be exploited by a malicious IMAP-server to crash mutt or even execute arbitrary code with the privileges of the user running mutt. There is no temporary fix known. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command last seen 2020-06-01 modified 2020-06-02 plugin id 13790 published 2004-07-25 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13790 title SUSE-SA:2003:020: mutt code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2003:020 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(13790); script_bugtraq_id(7120); script_version ("1.15"); script_cve_id("CVE-2003-0140"); name["english"] = "SUSE-SA:2003:020: mutt"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2003:020 (mutt). Mutt is a text-based Mail User Agent (MUA). The IMAP-code of mutt is vulnerable to a buffer overflow that can be exploited by a malicious IMAP-server to crash mutt or even execute arbitrary code with the privileges of the user running mutt. There is no temporary fix known. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update." ); script_set_attribute(attribute:"solution", value: "http://www.suse.de/security/2003_020_mutt.html" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/25"); script_cvs_date("Date: 2019/10/25 13:36:27"); script_end_attributes(); summary["english"] = "Check for the version of the mutt package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"mutt-1.3.12i-69", release:"SUSE7.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mutt-1.3.16i-92", release:"SUSE7.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mutt-1.3.22.1i-170", release:"SUSE7.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mutt-1.3.27i-77", release:"SUSE8.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"mutt-1.4i-216", release:"SUSE8.1") ) { security_hole(0); exit(0); } if (rpm_exists(rpm:"mutt-", release:"SUSE7.1") || rpm_exists(rpm:"mutt-", release:"SUSE7.2") || rpm_exists(rpm:"mutt-", release:"SUSE7.3") || rpm_exists(rpm:"mutt-", release:"SUSE8.0") || rpm_exists(rpm:"mutt-", release:"SUSE8.1") ) { set_kb_item(name:"CVE-2003-0140", value:TRUE); }
Oval
accepted 2007-04-25T19:52:22.102-04:00 class vulnerability contributors name Jay Beale organization Bastille Linux name Jay Beale organization Bastille Linux name Thomas R. Jones organization Maitreya Security
description Buffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder. family unix id oval:org.mitre.oval:def:2 status accepted submitted 2003-08-18T12:00:00.000-04:00 title Mutt BO Vulnerability in balsa version 38 accepted 2007-04-25T19:52:30.758-04:00 class vulnerability contributors name Jay Beale organization Bastille Linux name Thomas R. Jones organization Maitreya Security
description Buffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder. family unix id oval:org.mitre.oval:def:434 status accepted submitted 2003-08-18T12:00:00.000-04:00 title Mutt BO Vulnerability version 38
Redhat
| advisories |
|
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000626
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000630
- http://marc.info/?l=bugtraq&m=104817995421439&w=2
- http://marc.info/?l=bugtraq&m=104818814931378&w=2
- http://marc.info/?l=bugtraq&m=104852190605988&w=2
- http://marc.info/?l=bugtraq&m=105171507629573&w=2
- http://www.coresecurity.com/common/showdoc.php?idx=310&idxseccion=10
- http://www.debian.org/security/2003/dsa-268
- http://www.gentoo.org/security/en/glsa/glsa-200303-19.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2003:041
- http://www.novell.com/linux/security/advisories/2003_020_mutt.html
- http://www.redhat.com/support/errata/RHSA-2003-109.html
- http://www.securityfocus.com/archive/1/315679
- http://www.securityfocus.com/bid/7120
- https://exchange.xforce.ibmcloud.com/vulnerabilities/11583
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A434