ytnef:heap buffer overflow in TNEFFillMapi

Description

ytnef is a program to work with procmail to decode TNEF streams (winmail.dat attachments) like those created with Outlook. Unlike other similar programs, it can also create vCalendar/vCard entries from meeting requests, address cards, and task entries.

A heap buffer overflow vulnerability was found in function TNEFFillMapi in ytnef.c, which allows attackers to cause a denial of service via a crafted file.

#ytnefprint $FILE
=================================================================
heap-buffer-overflow on address 0x6020000008f8 at pc 0x000000520d34 bp 0x7ffeed1b7070 sp 0x7ffeed1b7068
WRITE of size 4 at 0x6020000008f8 thread T0
    #0 0x520d33 in TNEFFillMapi /home/haojun/Downloads/ytnef-master/lib/ytnef.c:543:18
    #1 0x51a612 in TNEFMapiProperties /home/haojun/Downloads/ytnef-master/lib/ytnef.c:396:7
    #2 0x52bca1 in TNEFParse /home/haojun/Downloads/ytnef-master/lib/ytnef.c:1184:15
    #3 0x52a3b2 in TNEFParseFile /home/haojun/Downloads/ytnef-master/lib/ytnef.c:1042:10
    #4 0x515530 in main /home/haojun/Downloads/ytnef-master/ytnefprint/main.c:80:9
    #5 0x7f917c2c9b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
    #6 0x41a8db in _start (/home/haojun/Downloads/ytnef-afl-build/bin/ytnefprint+0x41a8db)

0x6020000008f8 is located 7 bytes to the right of 1-byte region [0x6020000008f0,0x6020000008f1)
allocated by thread T0 here:
    #0 0x4df98d in calloc /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x51d470 in TNEFFillMapi /home/haojun/Downloads/ytnef-master/lib/ytnef.c:482:18
    #2 0x51a612 in TNEFMapiProperties /home/haojun/Downloads/ytnef-master/lib/ytnef.c:396:7
    #3 0x52a3b2 in TNEFParseFile /home/haojun/Downloads/ytnef-master/lib/ytnef.c:1042:10
    #4 0x515530 in main /home/haojun/Downloads/ytnef-master/ytnefprint/main.c:80:9

heap-buffer-overflow /home/haojun/Downloads/ytnef-master/lib/ytnef.c:543:18 in TNEFFillMapi
Shadow bytes around the buggy address:
  0x0c047fff80c0: fa fa 04 fa fa fa 00 00 fa fa 04 fa fa fa 00 00
  0x0c047fff80d0: fa fa 04 fa fa fa 00 00 fa fa 04 fa fa fa 00 00
  0x0c047fff80e0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff80f0: fa fa 00 00 fa fa 04 fa fa fa 00 00 fa fa 04 fa
  0x0c047fff8100: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8110: fa fa 04 fa fa fa 00 00 fa fa 04 fa fa fa 01[fa]
  0x0c047fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17014==ABORTING

Affected version: 1.9.2

Fixed version:N/A

Commit fix:N/A

Credit: ADLab of Venustech.

CVE:N/A

Reproducer:

https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-in_TNEFFillMapi_ytnef543

Timeline:

2017-06-08:bug discovered and reported to the ytnef GitHub issue page

2017-07-30:blog post about the issue

Permalink:

https://somevulnsofadlab.blogspot.com/2017/07/ytnefheap-buffer-overflow-in.html