Advertisement






BufferOverflow in Eremove Client

CVE Category Price Severity
CVE-2021-12345 CWE-121 $500 High
Author Risk Exploitation Type Date
ExploitLabs Critical Remote 2006-08-15
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006080077

Below is a copy:

_   _____/_   ___  /   |   \_____   |    __)_ /      //    ~    /   |    |        \     ___    Y    /    |    /_______  / ______  /___|_  /_______  /

/         /       /         /

.OR.ID

ECHO_ADV_42$2006

------------------------------------------------------------------------
---

[ECHO_ADV_42$2006] BufferOverflow in Eremove Client

------------------------------------------------------------------------
---

Author       : Dedi Dwianto

Date         : Aug, 01st 2006

Location     : Indonesia, Jakarta

Web          : http://advisories.echo.or.id/adv/adv42-theday-2006.txt

Exploitation : Local

Critical Lvl : High

------------------------------------------------------------------------
---

Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Eremove

version     : 1.4

URL         : http://eremove.sourceforge.net/

Description :

Eremove is a simple application for linux, based on GTK, for logging into

a POP3 mail account, quickly seeing a summary of everything that is there

waiting for you, and previewing/deleteing some or all of those emails painlessly.

------------------------------------------------------------------------
---

Vulnerability:

~~~~~~~~~~~~~~~~

The function priview_create  used by Eremove  is affected by a buffer-overflow

vulnerability which happens when it tries to store the exceeding data

available in the input email in the message_body  buffer of only 65534 bytes.

------------------gui.cpp-----------------------------

.....

gint preview_create (int message_num) {

...

GtkWidget       *hbox;

GtkWidget       *vscrollbar;

char            *tmp_pntr;

char            tmp_str[255];

char            buf[65534];

char            message_body[65534];

gint            i;

...

}

if (!find_header_field("Date", buf, &date)) {

date = (char *) malloc(strlen("unspecified")*sizeof(char));

strcpy(date, "unspecified");

}

strcpy(message_body, buf);

...

----------------------------------------------------------

POC:

~~~~

Send EMail with Attachment more than 100 KB

and Openwith eremove.

Eremove will be crash.

------------------------------------------------------------------------
---

Shoutz:

~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous

~ My Lovely Jessy

~ newbie_hacker (at) yahoogroups (dot) com [email concealed]

~ #aikmel #e-c-h-o @irc.dal.net

~ SUPPORT PALESTINE & LEBANON

------------------------------------------------------------------------
---

Contact:

~~~~~~~~

Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id

Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum