Subject: Fwd: Advisory 05/2002: Another Fetchmail Remote Vulnerability
To: None <email@example.com>
From: Alan Post <firstname.lastname@example.org>
Date: 12/13/2002 03:07:29
fetchmail DOS buffer overflow, no control of mail server required.
From: Stefan Esser <email@example.com>
Subject: Advisory 05/2002: Another Fetchmail Remote Vulnerability
Date: Fri, 13 Dec 2002 11:17:59 +0100
-= Security Advisory =-
Advisory: Fetchmail remote vulnerability
Release Date: 2002/12/13
Last Modified: 2002/12/13
Author: Stefan Esser [firstname.lastname@example.org]
Application: Fetchmail <= 6.1.3
Severity: A vulnerability within Fetchmail could allow
Vendor Status: Vendor released version 6.2.0
In the light of recent discoveries we reaudited Fetchmail and found
another bufferoverflow within the default configuration. This heap
overflow can be used by remote attackers to crash it or to execute
arbitrary code with the privileges of the user running fetchmail.
Depending on the configuration this allows a remote root compromise.
When Fetchmail retrieves a mail it performs the so called reply-hack.
This basicly means that all headers that contain addresses are searched
for local addresses (without @domain part). When such an address is
found, Fetchmail appends an @ and the hostname of the mailserver to it.
To avoid unnecessary reallocating of the output buffer during this
process Fetchmail counts the number of addresses within the headerline
first. Then it reserves enough space for the case that all addresses
are locals. Unfourtunately this calculation is wrong because it counts
a) to many addresses and b) only takes the hostname in count and not
the extra @ which is also appended. This means at the moment where you
have enough (due to a) local addresses within the headerline every
additional address will overflow the buffer by one byte. This results
in an arbitrary size heap overflow, which was proved to be exploitable
on our Linux boxes. Due to the fact that this heapoverflow occurs in
malloc()ed areas we believe that BSD systems can only be crashed with
Finally it is important to mention that an attacker does not need
to spoof dns records, or control the mailserver to exploit this bug.
It is usually enough to send a mail to the victim that contains
specially crafted header lines.
Proof of Concept:
e-matters is not going to release an exploit for this vulnerability to
08. December 2002 - A patch that fixes this vulnerability was mailed
to the vendor.
13. December 2002 - Vendor released Fetchmail v6.2.0 which fixes
If you are running Fetchmail we suggest to upgrade to a new or patched
version as soon as possible.
pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
Key fingerprint = 43DD 843C FAB9 832A E5AB CAEB 81F2 8110 75E7 AAD6
Copyright 2002 Stefan Esser. All rights reserved.
Full-Disclosure - We believe in it.