###################################################################### Luigi Auriemma Application: Popcorn (http://www.ultrafunk.com) Version: 1.20 and previous Bug: Multiple vulnerabilities Date: 11 Jul 2002 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ###################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ###################################################################### =============== 1) Introduction =============== Popcorn is a good, tiny and easy_to_use mail client that run on Windows. It is really minimized in its functions (you can't send attachments for example), however I found it really useful. Unfortunately now it is not more supported so its development is stopped and every bug found in it cannot be corrected. ###################################################################### ====== 2) Bug ====== The bugs I have found in this program at the moment are 3 (however I will not publish other bugs about it if I found). The bugs A and C are exploited directly during the mailbox checking so the user cannot see where is the error because the exploit mail is not visible, and he must delete it manually or from another mail client. Let's go: -A- -Process freezed and resources consumption. If an attacker send a mail with the following subject: Subject: \t\t the client try to read the mail but it seems to don't understand this subject so it remain to download the mail. Instead it is freezed, the user can close it from the menu without problem but the process is again executed and it eat some resources (for example my AthlonXP is a bit slow) and the only method to terminate it totally is from the CTRL-ALT-CANC menu or better from a processes management program like ATM or Killprocess. -B- -Buffer overflow in subject field. The client can be crashed when the user want to read a mail with a subject like this: Subject: (at least 490 'A's) I don't think that I must add other about this problem... -C- -Bad managment of the Date field in the mails received. This is an example of how Popcorn reformat a Date field: Date: 1 = 01.01.2000 00:00 Date: 11 = 11.01.2000 00:00 Date: 111 = 20.04.2000 00:00 Date: 1111 = 15.01.2003 00:00 Date: 11111 = 02.06.2030 00:00 Date: 111111 = 02.01.2032 11:03 Date: 1111111 = Crash! So the attacker can crash the Popcorn client sending it a mail with in the Date field an year greater than 2037 (2037 is the maximum date that don't crash tested on my PC) or as I have written before, with 1111111 (or other numeric sequences that crash the client). ###################################################################### =========== 3) The Code =========== http://aluigi.org/poc/popcorn.zip ###################################################################### ====== 4) Fix ====== 1.24 from the Ultrafunk homepage: http://www.ultrafunk.com ######################################################################