Popcorn vulnerabilities

[bugtest () sitoverde com]

######################################################################

Application: Popcorn (http://www.ultrafunk.com)
Version:     All the version, because it is no more supported (however
             the latest is 1.20)
Bug:         Multiple vulnerabilities
Risk:        Remote DoS
Author:      Auriemma Luigi (e-mail: bugtest () sitoverde com)

######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy

---

1) Introduction

Popcorn is a good, tiny and easy_to_use mail client that run on
Windows.
It is really minimized in its functions (you can't send attachments
for example), however I found it really useful.
Unfortunally now it is not more supported so its development is
stopped and every bug found in it cannot be corrected.

---

2) Bug

The bugs I have found in this program at the moment are 3 (however
I will not publish other bugs about it if I found).
The bugs A and C are exploited directly during the mailbox checking
so the user cannot see where is the error because the exploit mail
is not visible, and he must delete it manually or from another mail
client.

Let's go:

-A-
-Process freezed and resources consumption.
If an attacker send a mail with the following subject:

Subject: \t\t

the client try to read the mail but it seems to don't understand
this subject so it remain to download the mail.
Instead it is freezed, the user can close it from the menu
without problem but the process is again executed and it eat some
resources (for example my AthlonXP is a bit slow) and the only
method to terminate it totally is from the CTRL-ALT-CANC menu or
better from a processes management program like ATM or Killprocess.

-B-
-Buffer overflow in subject field.
The client can be crashed when the user want to read a mail with a
subject like this:

Subject: (at least 490 'A's)

I don't think that I must add other about this problem...

-C-
-Bad managment of the Date field in the mails received.
This is an example of how Popcorn reformat a Date field:

Date: 1       = 01.01.2000 00:00
Date: 11      = 11.01.2000 00:00
Date: 111     = 20.04.2000 00:00
Date: 1111    = 15.01.2003 00:00
Date: 11111   = 02.06.2030 00:00
Date: 111111  = 02.01.2032 11:03
Date: 1111111 = Crash!

So the attacker can crash the Popcorn client sending it a mail
with in the Date field an year greater than 2037 (2037 is the
maximum date that don't crash tested on my PC) or as I have
written before, with 1111111 (or other numeric sequences that
crash the client).

---

3) The Code

I have attached a simple and tiny exploit that can send a mail with
one of the 3 exploits I have showed.
The source and the exe is only for Win, because Popcorn run on Win
and then the exploit can be emulated with Wine, so why lost time
and space (the attachment) for do another version?

---

4) Fix

No official fix (program no more supported) and no tricks to fix it
temporary.

---

5) Philosophy

I'm really hopeful about the full disclosure, because with that
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of programming (I have learn a bit of
C from the source code of some exploits) and it's useful for all the
people that are hopeful in this type of disclosure.
No secrets!

---

Any type of feedback is really welcome!

Byez

Attachment: popcorn.tgz
Description: