Re: [Evolution] Is virus protection required?
- From: Jason Tackaberry <tack auc ca>
- To: Tony Earnshaw <tonni billy demon nl>
- Cc: Dave Finnegan <dave synchronicity com>, Evolution Mailing List <evolution ximian com>
- Subject: Re: [Evolution] Is virus protection required?
- Date: 14 Jan 2003 15:17:19 -0500
On Tue, 2003-01-14 at 14:32, Tony Earnshaw wrote:
How would an rfc822/2822 mail message do this? What sort of an
attachment would do this? "Click on this Linux executable and you'll be
born to heaven."
When you get an email with an iCal attachment, Evolution will
automatically decode the attachment and present the calendar information
when you view the email. Let's say Evolution supports base64-encoded
iCal files. (It might, I don't know.) It gets a MIME part that is
text/calendar and sees that it is base64-encoded, so it passes the part
through a base64 decoder. The resulting decoded data is then passed
through the iCal parser which has an exploitable buffer overflow bug.
The decoded part can use all 8 bits and can be formatted in a way that
is necessary to smash the stack and execute arbitrary code as the user
The code that is executed could, for instance, start deleting files from
the user's home directory, or do some interesting things with cron. Or.
it could then exploit an overflow in a suid binary to escalate to root.
And then the possibilities are endless.
Of course the above is completely hypothetical. But is that sort of
attack really that unreasonable? Difficult, yes, and a lot of very
specific conditions would have to be met. But probably not
unreasonable. We've seen more impressive things.
The last has nothing to do with Evo.
No, it doesn't, but my point was that "benign data" like images, video,
MP3s, or even email, can be used to exploit a vulnerability in the
software that reads it as input.
Jason Tackaberry :: tack auc ca :: 705-949-2301 x330
Academic Computing Support Specialist
Information Technology Services
Algoma University College :: www.auc.ca
] [Thread Prev