X41 D-Sec GmbH Security Advisory: X41-2017-002

Multiple Vulnerabilities in ytnef

Overview

Summary and Impact

Multiple Heap Overflows, out of bound writes and reads, NULL pointer dereferences and infinite loops have been discovered in ytnef 1.9 an earlier. These could be exploited by tricking a user into opening a malicious winmail.dat file.

Product Description

ytnef offers a library and utilities to extract the files from winmail.dat files. winmail.dat files are send by Microsoft Outlook when forwarding files via e-mail. Vendor was very responsive in providing a patched version.

Analysis

Due to the big amount of issues found no detailed analysis is given here. Almost all allocations were unchecked and out of bounds checks rarely perfomed in the code.

In total 9 patches were generated for the following issues:

  1. Null Pointer Deref / calloc return value not checked
  2. Infinite Loop / DoS
  3. Buffer Overflow in version field
  4. Out of Bound Reads
  5. Integer Overflow
  6. Invalid Write and Integer Overflow
  7. Out of Bounds read
  8. Out of Bounds read and write
  9. Directory Traversal using the filename

To detail some of the findings, here are excerpts from the quickly written patch, which was send to the vendor:

Missing out of bounds checks:

diff --git a/lib/ytnef.c b/lib/ytnef.c
index ad92f15..5dd07a7 100644
--- a/lib/ytnef.c
+++ b/lib/ytnef.c
@@ -55,6 +55,7 @@
 #define MIN(x,y) (((x)<(y))?(x):(y))
#define ALLOCCHECK(x) { if(!x) { printf(“Out of Memory\n”); exit(-1); } }
+#define SIZECHECK(x) { if ((((char *)d - (char *)data) + x) >= size) {  printf("Corrupted file\n"); exit(-1); } }
 
 void TNEFFillMapi(TNEFStruct *TNEF, BYTE *data, DWORD size, MAPIProps *p);
 	void SetFlip(void);
@@ -427,9 +428,11 @@ void TNEFFillMapi(TNEFStruct *TNEF, BYTE *data, DWORD size, MAPIProps *p) {
       length = -1;
       if (PROP_ID(mp->id) >= 0x8000) {
         // Read the GUID
+        SIZECHECK(16);
         memcpy(&(mp->guid[0]), d, 16);
         d += 16;
 
+        SIZECHECK(4);
         length = SwapDWord((BYTE*)d, 4);

Infinite Loop:

diff --git a/lib/ytnef.c b/lib/ytnef.c
index 328e605..43b0e56 100644
--- a/lib/ytnef.c
+++ b/lib/ytnef.c
@@ -546,6 +546,9 @@ void TNEFFillMapi(TNEFStruct *TNEF, BYTE *data, DWORD size, MAPIProps *p) {
         memcpy(vl->data, d, vl->size);
         d+=16;
         break;
+      default:
+        printf("Bad file\n");
+        exit(-1);
     }
 
     switch (PROP_ID(mp->id)) {

Buffer Overflow:

diff --git a/lib/tnef-types.h b/lib/tnef-types.h
index 7b6ad01..2a9709a 100644
--- a/lib/tnef-types.h
+++ b/lib/tnef-types.h
@@ -103,7 +103,7 @@ typedef struct {
 	} TNEFMemInfo;
 	
 typedef struct {
-  char version[10];
+  char version[16];
   variableLength from;
   variableLength subject;
   dtr dateSent;

Workarounds

Update to version 1.9.1 as released on https://github.com/yeraze/ytnef

About X41 D-Sec GmbH

X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions.

Timeline