Re: [Evolution] Is virus protection required?

[Jason Tackaberry <tack auc ca>]

On Tue, 2003-01-14 at 14:32, Tony Earnshaw wrote:
> How would an rfc822/2822 mail message do this? What sort of an
> attachment would do this? "Click on this Linux executable and you'll be
> born to heaven."

When you get an email with an iCal attachment, Evolution will
automatically decode the attachment and present the calendar information
when you view the email.  Let's say Evolution supports base64-encoded
iCal files.  (It might, I don't know.)  It gets a MIME part that is
text/calendar and sees that it is base64-encoded, so it passes the part
through a base64 decoder.  The resulting decoded data is then passed
through the iCal parser which has an exploitable buffer overflow bug. 
The decoded part can use all 8 bits and can be formatted in a way that
is necessary to smash the stack and execute arbitrary code as the user
running Evolution.  

The code that is executed could, for instance, start deleting files from
the user's home directory, or do some interesting things with cron.  Or.
it could then exploit an overflow in a suid binary to escalate to root. 
And then the possibilities are endless.

Of course the above is completely hypothetical.  But is that sort of
attack really that unreasonable?  Difficult, yes, and a lot of very
specific conditions would have to be met.  But probably not
unreasonable.  We've seen more impressive things.

> > http://online.securityfocus.com/archive/1/306476/2003-01-11/2003-01-17/0
>
> The last has nothing to do with Evo.

No, it doesn't, but my point was that "benign data" like images, video,
MP3s, or even email, can be used to exploit a vulnerability in the
software that reads it as input.

Cheers,
Jason.

-- 
Jason Tackaberry  ::  tack auc ca  :: 705-949-2301 x330 
Academic Computing Support Specialist
Information Technology Services
Algoma University College  ::  www.auc.ca