what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

tnef 1.4.12 OOB Read / Write / Type Confusions / Integer Overflows

tnef 1.4.12 OOB Read / Write / Type Confusions / Integer Overflows
Posted Feb 24, 2017
Authored by Eric Sesterhenn

tnef versions 1.4.12 and below suffer from multiple integer overflows, type confusions, and out of bounds read and write vulnerabilities.

tags | advisory, overflow, vulnerability
SHA-256 | 5705b80ef5130f182eaa09743b3b19d2e17761e1bcc5443fc91394d3bdbe51e3

tnef 1.4.12 OOB Read / Write / Type Confusions / Integer Overflows

Change Mirror Download

X41 D-Sec GmbH Security Advisory: X41-2017-004

Multiple Vulnerabilities in tnef
================================

Overview
--------
Confirmed Affected Versions: 1.4.12 and earlier
Confirmed Patched Versions:
Vendor: verdammelt
Vendor URL: https://github.com/verdammelt/tnef/
Vector: File
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/


Summary and Impact
------------------
Multiple Integer Overflows, Type Confusions and Out of Band Reads and
Writes have been discovered in tnef 1.4.12 and earlier. These could
be exploited by tricking a user into opening a malicious winmail.dat file.


Product Description
-------------------
From the Readme.md:
TNEF is a program for unpacking MIME attachments of type
"application/ms-tnef". This is a Microsoft only attachment. Due to the
proliferation of Microsoft Outlook and Exchange mail servers, more and
more mail is encapsulated into this format. The TNEF program allows one
to unpack the attachments which were encapsulated into the TNEF
attachment. Thus alleviating the need to use Microsoft Outlook to view
the attachment. TNEF is mainly tested and used on GNU/Linux and CYGWIN
systems. It 'should' work on other UNIX and UNIX-like systems.



Integer Overflows in Memory Allocator
=====================================
Severity Rating: High
Vector: Local
CVE: Not yet assigned
CVSS Score: 7.0
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary and Impact
------------------
Several Integer Overflows, which can lead to Heap Overflows have been
identified in the functions, which wrap memory allocation.

Workarounds
-----------
None, X41 D-Sec GmbH recommends to update to the latest version.



Type Confusion in src/tnef.c:parse_file()
=========================================
Severity Rating: High
Vector: Local
CVE: Not yet assigned
CVSS Score: 7.0
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary and Impact
------------------
Two type confusions have been identified in the parse_file() function.
These might lead to invalid read and write operations, controlled by an
attacker.

Workarounds
-----------
None, X41 D-Sec GmbH recommends to update to the latest version.



OOB Writes in src/mapi_attr.c:mapi_attr_read()
==============================================
Severity Rating: High
Vector: Local
CVE: Not yet assigned
CVSS Score: High
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary and Impact
------------------
Two OOB Writes have been identified in src/mapi_attr.c:mapi_attr_read().
These might lead to invalid read and write operations, controlled by an
attacker.

Workarounds
-----------
None, X41 D-Sec GmbH recommends to update to the latest version.


Type Confusion in src/file.c:file_add_mapi_attrs()
==================================================
Severity Rating: High
Vector: Local
CVE: Not yet assigned
CVSS Score: 7.0
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary and Impact
------------------
Four type confusions have been identified in the file_add_mapi_attrs()
function. These might lead to invalid read and write operations,
controlled by an attacker.

Workarounds
-----------
None, X41 D-Sec GmbH recommends to update to the latest version.


About X41 D-Sec GmbH
--------------------
X41 D-Sec is a provider of application security services. We focus on
application code reviews, design review and security testing. X41 D-Sec
GmbH was founded in 2015 by Markus Vervier. We support customers in
various industries such as finance, software development and public
institutions.

Timeline
--------
2017-02-17 Issue found
2017-02-19 Vendor contacted
2017-02-20 CVE IDs requested
2017-02-21 Vendor Reply
2017-02-23 Vendor releases patched version
2017-02-23 Advisory released

--
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen
T: +49 241 9809418-0, Fax: -9
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989
GeschA$?ftsfA1/4hrer: Markus Vervier





Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close