Summary
Gaucho
is an Email client developed by NakedSoft for Microsoft Windows platforms. Gaucho supports SMTP, POP3 and
other email delivery protocols. Gaucho version 1.4 Build 145 is vulnerable to a buffer overflow when receiving
malformed emails from a POP3 server. This vulnerability is triggered if Gaucho receives from the POP3 server, a specially
crafted email that has an abnormally long string in the Content-Type field of the email header. This string will
overwrite EIP via SEH, and can be exploited to execute arbitrary code.
Tested System
Gaucho 1.4 Build 145 on English Win2K SP4
Details
Gaucho version 1.4 Build 145 is vulnerable to a buffer overflow when receiving malformed emails from a POP3 server.
This vulnerability is triggered if Gaucho receives from the POP3 server, a specially crafted email that has an abnormally
long string in the Content-Type field of the email header. This string will overwrite EIP via SEH,
and can be exploited to execute arbitrary code. A sample email that will trigger the overflow is shown
below.
Date: Mon, 09 Aug 2004 19:44:13 +0800
Subject: Testing
To: a@aaaaaa.xxx
From: XX <xx@xxxxxxxx.xxx.xx>
Message-ID: <GM109205179359A000.b76.xx@xxxxxxxx.xxx.xx>
MIME-Version: 1.0
Content-Type: AAAAAAAAAAAAA[approx. 280 chars]...; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Mailer: Gaucho Version 1.4.0 Build 145
Testing
.
The following Ollydbg screen capture shows that the EIP was overwritten when an abnormally long string was supplied with the Content-Type email header.
POC Exploit
Proof-of-concept code to validate this vulnerability can be downloaded here.
Patch
Author has fixed the vulnerability in Version 1.4
Build 151. Users are advised to upgrade to the fixed version.
Disclosure Timeline
09 Aug 04 - Vulnerability Discovered
10 Aug 04 - Initial Vendor Notification (no reply)
12 Aug 04 - Second Vendor Notification
14 Aug 04 - Author replied with fixed version
23 Aug 04 - Public Release
Contacts
Updated: 23/8/2004
webmaster@security.org.sg