Sign-up

ID

VAR-200607-0420


CVE

CVE-2006-3901


TITLE

Tumbleweed EMF Vulnerable to stack-based buffer overflow

Trust: 0.8

sources: JVNDB: JVNDB-2006-002930

DESCRIPTION

Multiple stack-based buffer overflows in Tumbleweed Email Firewall (EMF) allow remote attackers to execute arbitrary code via an email attachment with an LHA archive that contains a (1) file or (2) directory with a long LHA extended header, (3) an LHA archive in which the "temporary pathname" field for decompressed output is greater than 2 bytes, or (4) an LHA archive with a long filename. Tumbleweed MailGate Email Firewall is prone to multiple buffer-overflow vulnerabilities in its LHA processing routines. A successful attack can allow a remote attacker to corrupt process memory by triggering various overflow conditions in the LHA processing engine. This may lead to arbitrary code execution in the context of the MMSDecompose (a process of the EMF Decomposer component), resulting in a full compromise. These vulnerabilities reportedly affect all versions of the Tumbleweed MailGate Email Firewall. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Tumbleweed Email Firewall LHA File Parsing Vulnerabilities SECUNIA ADVISORY ID: SA21194 VERIFY ADVISORY: http://secunia.com/advisories/21194/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: MailGate Email Firewall 6.x http://secunia.com/product/11136/ Tumbleweed Messaging Management System (MMS) 5.x http://secunia.com/product/3588/ DESCRIPTION: Ryan Smith has reported three vulnerabilities in Tumbleweed Email Firewall, which can be exploited by malicious people to compromise a vulnerable system. 1) A boundary error within the processing of LHA extended-header filenames can be exploited to cause a stack-based buffer overflow. 2) A boundary error within the processing of LHA extended-header directory names can be exploited to cause a stack-based buffer overflow. Successful exploitation of the vulnerabilities allows execution of arbitrary code when an e-mail with a specially crafted attachment is processed. SOLUTION: According to the researcher, the vendor will not be releasing a patch. Instead, the vendor has reportedly suggested a workaround (contact the vendor for more information). PROVIDED AND/OR DISCOVERED BY: Ryan Smith ORIGINAL ADVISORY: http://www.hustlelabs.com/advisories/04072006_tweed.pdf ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2006-3901 // JVNDB: JVNDB-2006-002930 // BID: 19146 // VULHUB: VHN-20009 // PACKETSTORM: 48530

AFFECTED PRODUCTS

vendor:tumbleweedmodel:mailgate email firewallscope: - version: -

Trust: 1.4

vendor:tumbleweedmodel:mailgate email firewallscope:eqversion:*

Trust: 1.0

vendor:tumbleweedmodel:mailgate email firewallscope:eqversion:0

Trust: 0.3

sources: BID: 19146 // JVNDB: JVNDB-2006-002930 // CNNVD: CNNVD-200607-483 // NVD: CVE-2006-3901

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2006-3901
value: HIGH

Trust: 1.0

NVD: CVE-2006-3901
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200607-483
value: HIGH

Trust: 0.6

VULHUB: VHN-20009
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2006-3901
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-20009
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-20009 // JVNDB: JVNDB-2006-002930 // CNNVD: CNNVD-200607-483 // NVD: CVE-2006-3901

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2006-3901

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200607-483

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-200607-483

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2006-002930

PATCH
title:Top Pageurl:http://www.axway.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2006-002930

EXTERNAL IDS
db:NVDid:CVE-2006-3901
Trust: 2.5
db:BIDid:19146
Trust: 2.0
db:SECUNIAid:21194
Trust: 1.8
db:OSVDBid:27495
Trust: 1.7
db:VUPENid:ADV-2006-2970
Trust: 1.7
db:JVNDBid:JVNDB-2006-002930
Trust: 0.8
db:CNNVDid:CNNVD-200607-483
Trust: 0.7
db:BUGTRAQid:20060725 HUSTLE -- TUMBLEWEED EMAIL FIREWALL REMOTE VULNERABILITY
Trust: 0.6
db:FULLDISCid:20060724 HUSTLE -- TUMBLEWEED EMAIL FIREWALL REMOTE
Trust: 0.6
db:VULHUBid:VHN-20009
Trust: 0.1
db:PACKETSTORMid:48530
Trust: 0.1
sources:
            
            
            VULHUB: VHN-20009 // 
            
            
            
            BID: 19146 // 
            
            
            
            JVNDB: JVNDB-2006-002930 // 
            
            
            
            PACKETSTORM: 48530 // 
            
            
            
            CNNVD: CNNVD-200607-483 // 
            
            
            
            NVD: CVE-2006-3901

REFERENCES
url:http://www.hustlelabs.com/advisories/04072006_tweed.pdf
Trust: 1.8
url:http://www.securityfocus.com/bid/19146
Trust: 1.7
url:http://www.osvdb.org/27495
Trust: 1.7
url:http://secunia.com/advisories/21194
Trust: 1.7
url:http://www.securityfocus.com/archive/1/441497/100/0/threaded
Trust: 1.1
url:http://www.vupen.com/english/advisories/2006/2970
Trust: 1.1
url:http://marc.info/?l=full-disclosure&m=115378437918939&w=2
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-3901
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2006-3901
Trust: 0.8
url:http://www.securityfocus.com/archive/1/archive/1/441497/100/0/threaded
Trust: 0.6
url:http://www.frsirt.com/english/advisories/2006/2970
Trust: 0.6
url:http://marc.theaimsgroup.com/?l=full-disclosure&m=115378437918939&w=2
Trust: 0.6
url:http://www.hustlelabs.com
Trust: 0.3
url:http://vuln.sg/lhaplus152-en.html
Trust: 0.3
url:http://www7a.biglobe.ne.jp/~schezo/
Trust: 0.3
url:http://marc.info/?l=full-disclosure&m=115378437918939&w=2
Trust: 0.1
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/product/11136/
Trust: 0.1
url:http://secunia.com/product/3588/
Trust: 0.1
url:http://secunia.com/advisories/21194/
Trust: 0.1
url:http://secunia.com/hardcore_disassembler_and_reverse_engineer/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-20009 // 
            
            
            
            BID: 19146 // 
            
            
            
            JVNDB: JVNDB-2006-002930 // 
            
            
            
            PACKETSTORM: 48530 // 
            
            
            
            CNNVD: CNNVD-200607-483 // 
            
            
            
            NVD: CVE-2006-3901

CREDITS
Ryan Smith
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200607-483

SOURCES
db:VULHUBid:VHN-20009
db:BIDid:19146
db:JVNDBid:JVNDB-2006-002930
db:PACKETSTORMid:48530
db:CNNVDid:CNNVD-200607-483
db:NVDid:CVE-2006-3901

LAST UPDATE DATE
2024-08-14T14:59:11.936000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-20009date:2018-10-17T00:00:00
db:BIDid:19146date:2006-07-25T22:52:00
db:JVNDBid:JVNDB-2006-002930date:2012-12-20T00:00:00
db:CNNVDid:CNNVD-200607-483date:2006-08-26T00:00:00
db:NVDid:CVE-2006-3901date:2018-10-17T21:32:15.470

SOURCES RELEASE DATE
db:VULHUBid:VHN-20009date:2006-07-27T00:00:00
db:BIDid:19146date:2006-07-25T00:00:00
db:JVNDBid:JVNDB-2006-002930date:2012-12-20T00:00:00
db:PACKETSTORMid:48530date:2006-07-26T05:33:34
db:CNNVDid:CNNVD-200607-483date:2006-07-27T00:00:00
db:NVDid:CVE-2006-3901date:2006-07-27T11:04:00