On Tue, 2003-01-14 at 14:32, Tony Earnshaw wrote: > How would an rfc822/2822 mail message do this? What sort of an > attachment would do this? "Click on this Linux executable and you'll be > born to heaven."
When you get an email with an iCal attachment, Evolution will automatically decode the attachment and present the calendar information when you view the email. Let's say Evolution supports base64-encoded iCal files. (It might, I don't know.) It gets a MIME part that is text/calendar and sees that it is base64-encoded, so it passes the part through a base64 decoder. The resulting decoded data is then passed through the iCal parser which has an exploitable buffer overflow bug. The decoded part can use all 8 bits and can be formatted in a way that is necessary to smash the stack and execute arbitrary code as the user running Evolution. The code that is executed could, for instance, start deleting files from the user's home directory, or do some interesting things with cron. Or. it could then exploit an overflow in a suid binary to escalate to root. And then the possibilities are endless. Of course the above is completely hypothetical. But is that sort of attack really that unreasonable? Difficult, yes, and a lot of very specific conditions would have to be met. But probably not unreasonable. We've seen more impressive things. > > http://online.securityfocus.com/archive/1/306476/2003-01-11/2003-01-17/0 > > The last has nothing to do with Evo. No, it doesn't, but my point was that "benign data" like images, video, MP3s, or even email, can be used to exploit a vulnerability in the software that reads it as input. Cheers, Jason. -- Jason Tackaberry :: [EMAIL PROTECTED] :: 705-949-2301 x330 Academic Computing Support Specialist Information Technology Services Algoma University College :: www.auc.ca _______________________________________________ evolution maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution
