Vulnerabilities > CVE-2004-0224 - Remote Buffer Overflow vulnerability in Courier

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
double-precision-incorporated
inter7
gentoo
nessus

Summary

Multiple buffer overflows in (1) iso2022jp.c or (2) shiftjis.c for Courier-IMAP before 3.0.0, Courier before 0.45, and SqWebMail before 4.0.0 may allow remote attackers to execute arbitrary code "when Unicode character is out of BMP range."

Nessus

  • NASL familySMTP problems
    NASL idCOURIER_OVERFLOWS.NASL
    descriptionAccording to its version number, the version of Courier MTA running on the remote host has multiple buffer overflow vulnerabilities. A remote attacker could exploit this to crash the service, or possibly execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id12102
    published2004-03-14
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/12102
    titleCourier < 0.45 Multiple Remote Overflows
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if(description)
    {
     script_id(12102);
     script_version("1.15");
     script_cve_id("CVE-2004-0224");
     script_bugtraq_id(9845);
     
     script_name(english:"Courier < 0.45 Multiple Remote Overflows");
     script_summary(english:"Checks the version number"); 
     
     script_set_attribute(
       attribute:"synopsis",
       value:"The remote SMTP server has multiple buffer overflow vulnerabilities."
     );
     script_set_attribute(attribute:"description", value:
    "According to its version number, the version of Courier MTA running
    on the remote host has multiple buffer overflow vulnerabilities.  A
    remote attacker could exploit this to crash the service, or possibly
    execute arbitrary code." );
     script_set_attribute(
       attribute:"solution", 
       value:"Upgrade to Courier 0.45 or later."
     );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/03/14");
     script_set_attribute(attribute:"vuln_publication_date", value: "2004/03/11");
     script_cvs_date("Date: 2018/07/06 11:26:08");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_family(english:"SMTP problems");
    
     script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
    
     script_dependencie("find_service1.nasl", "smtpserver_detect.nasl");
     script_require_ports("Services/smtp", 25);
    
     exit(0);
    }
    
    #
    # The script code starts here
    #
    
    include("smtp_func.inc");
    
    port = get_kb_item("Services/smtp");
    if(!port) port = 25;
    
    banner = get_smtp_banner(port:port);
    if(banner)
    {
     if ( egrep(pattern:"220.*Courier 0\.([0-9]\.|[0-3][0-9]\.|4[0-4]\.)", string:banner) ) { security_hole(port); exit(0); }
    
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200403-06.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200403-06 (Multiple remote buffer overflow vulnerabilities in Courier) The vulnerabilities have been found in the
    last seen2020-06-01
    modified2020-06-02
    plugin id14457
    published2004-08-30
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14457
    titleGLSA-200403-06 : Multiple remote buffer overflow vulnerabilities in Courier
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200403-06.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14457);
      script_version("1.13");
      script_cvs_date("Date: 2019/08/02 13:32:41");
    
      script_cve_id("CVE-2004-0224");
      script_bugtraq_id(9845);
      script_xref(name:"GLSA", value:"200403-06");
    
      script_name(english:"GLSA-200403-06 : Multiple remote buffer overflow vulnerabilities in Courier");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200403-06
    (Multiple remote buffer overflow vulnerabilities in Courier)
    
        The vulnerabilities have been found in the 'SHIFT_JIS' converter in
        'shiftjis.c' and 'ISO2022JP' converter in 'so2022jp.c'. An attacker may
        supply Unicode characters that exceed BMP (Basic Multilingual Plane) range,
        causing an overflow.
      
    Impact :
    
        An attacker without privileges may exploit this vulnerability remotely, allowing arbitrary code to be executed in order to gain unauthorized access.
      
    Workaround :
    
        While a workaround is not currently known for this issue, all users are
        advised to upgrade to the latest version of the affected packages."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200403-06"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All users should upgrade to current versions of the affected packages:
        # emerge sync
        # emerge -pv '>=net-mail/courier-imap-3.0.0'
        # emerge '>=net-mail/courier-imap-3.0.0'
        # ** Or; depending on your installation... **
        # emerge -pv '>=mail-mta/courier-0.45'
        # emerge '>=mail-mta/courier-0.45'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:courier");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:courier-imap");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/03/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"mail-mta/courier", unaffected:make_list("ge 0.45"), vulnerable:make_list("lt 0.45"))) flag++;
    if (qpkg_check(package:"net-mail/courier-imap", unaffected:make_list("ge 3.0.0"), vulnerable:make_list("lt 3.0.0"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mail-mta/courier / net-mail/courier-imap");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_98BD69C3834B11D8A41F0020ED76EF5A.NASL
    descriptionThe Courier set of mail services use a common Unicode library. This library contains buffer overflows in the converters for two popular Japanese character encodings. These overflows may be remotely exploitable, triggered by a maliciously formatted email message that is later processed by one of the Courier mail services. From the release notes for the corrected versions of the Courier set of mail services : iso2022jp.c: Converters became (upper-)compatible with ISO-2022-JP (RFC1468 / JIS X 0208:1997 Annex 2) and ISO-2022-JP-1 (RFC2237). Buffer overflow vulnerability (when Unicode character is out of BMP range) has been closed. Convert error handling was implemented. shiftjis.c: Broken SHIFT_JIS converters has been fixed and became (upper-)compatible with Shifted Encoding Method (JIS X 0208:1997 Annex 1). Buffer overflow vulnerability (when Unicode character is out of BMP range) has been closed. Convert error handling was implemented.
    last seen2020-06-01
    modified2020-06-02
    plugin id19044
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19044
    titleFreeBSD : Courier mail services: remotely exploitable buffer overflows (98bd69c3-834b-11d8-a41f-0020ed76ef5a)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19044);
      script_version("1.19");
      script_cvs_date("Date: 2019/08/02 13:32:36");
    
      script_cve_id("CVE-2004-0224");
      script_bugtraq_id(9845);
      script_xref(name:"Secunia", value:"11087");
    
      script_name(english:"FreeBSD : Courier mail services: remotely exploitable buffer overflows (98bd69c3-834b-11d8-a41f-0020ed76ef5a)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The Courier set of mail services use a common Unicode library. This
    library contains buffer overflows in the converters for two popular
    Japanese character encodings. These overflows may be remotely
    exploitable, triggered by a maliciously formatted email message that
    is later processed by one of the Courier mail services. From the
    release notes for the corrected versions of the Courier set of mail
    services :
    
    iso2022jp.c: Converters became (upper-)compatible with ISO-2022-JP
    (RFC1468 / JIS X 0208:1997 Annex 2) and ISO-2022-JP-1 (RFC2237).
    Buffer overflow vulnerability (when Unicode character is out of BMP
    range) has been closed. Convert error handling was implemented.
    
    shiftjis.c: Broken SHIFT_JIS converters has been fixed and became
    (upper-)compatible with Shifted Encoding Method (JIS X 0208:1997 Annex
    1). Buffer overflow vulnerability (when Unicode character is out of
    BMP range) has been closed. Convert error handling was implemented."
      );
      # http://cvs.sourceforge.net/viewcvs.py/courier/libs/unicode/iso2022jp.c?rev=1.10&view=markup
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?1a3ae431"
      );
      # http://cvs.sourceforge.net/viewcvs.py/courier/libs/unicode/shiftjis.c?rev=1.6&view=markup
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6efec52b"
      );
      # https://vuxml.freebsd.org/freebsd/98bd69c3-834b-11d8-a41f-0020ed76ef5a.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?d834e6b5"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:courier");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:courier-imap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:sqwebmail");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/02/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2004/03/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"courier<0.45")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"courier-imap<3.0,1")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"sqwebmail<4.0")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");