In the light of recent discoveries e-Matters reaudited Fetchmail and found another buffer overflow within the default configuration. This heap overflow can be used by remote attackers to crash it or to execute arbitrary code with the privileges of the user running fetchmail. Depending on the configuration this allows a remote root compromise.
* Fetchmail version 6.1.3 and prior
When Fetchmail retrieves a mail it performs the so called reply-hack. This basically means that all headers that contain addresses are searched for local addresses (without @domain part). When such an address is found, Fetchmail appends a @ and the hostname of the mail server to it. To avoid unnecessary reallocating of the output buffer during this process Fetchmail counts the number of addresses within the headerline first. Then it reserves enough space for the case that all addresses are locals. Unfortunately this calculation is wrong because it counts:
A) To many addresses and
B) Only takes the hostname in count and not the extra @ which is also appended.
This means at the moment where you have enough (due to a) local addresses within the headerline every additional address will overflow the buffer by one byte. This results in an arbitrary size heap overflow, which was proved to be exploitable on our Linux boxes. Due to the fact that this heap overflow occurs in malloc()ed areas we believe that BSD systems can only be crashed with this bug.
Finally it is important to mention that an attacker does not need to spoof dns records, or control the mail server to exploit this bug. It is usually enough to send a mail to the victim that contains specially crafted header lines.
08. December 2002 A patch that fixes this vulnerability was mailed to the vendor.
13. December 2002 Vendor released Fetchmail v6.2.0 which fixes this vulnerability.
If you are running Fetchmail we suggest to upgrade to a new or patched version as soon as possible.