CVE CyberSecurity Database News

CVE-2023-4875 - Null Pointer Dereference in Mutt Email Client — How a Specially Crafted Draft Can Crash Your Inbox

Poster -

Mutt is a beloved, heavily-used command-line email client, praised for its speed and simplicity. However, if you’re running any version after 1.5.2 but before 2.2.12, your installation might be vulnerable to a nasty bug — CVE-2023-4875. This flaw lets an attacker crash your Mutt by tempting you to reply to or continue a draft message with just the right (maliciously crafted) content.

Here’s a breakdown of what the vulnerability is, how it’s triggered, what it means for users, and how you can shield yourself.

What is CVE-2023-4875?

CVE-2023-4875 is a null pointer dereference vulnerability that creeps in when composing a new email from a specially crafted draft. It’s easy for a malicious actor to create this scenario if they can control a draft file or coax you into using an attacker-controlled draft.

How the Crash Happens

Here’s what’s going on:
Mutt expects every draft message to include certain fields and valid formatting. If a draft is missing key headers or has malformed data, Mutt can end up working with pointers it assumes are valid. Specifically, in this bug, it accesses a pointer it hasn’t confirmed is non-null. This can lead to a crash as soon as you try to compose from such a draft.

Scenario:
1. Attacker sends you a "clever" draft file or you download/view one found on the web.

Internally, Mutt runs code like this

/* This is a simplified, illustrative snippet */
if (draft->body) {
    process_body(draft->body); // Expects body is always present
}
compose_message(draft->subject); // What if subject is NULL?

If draft->subject or draft->body is missing (i.e., NULL) because the malicious draft omitted them, Mutt might not check this fact before using them. When that happens… boom. Mutt dereferences a NULL pointer, leading to an instant segmentation fault and _crash_.

Proof of Concept: The Evil Draft

Here’s a minimal draft to trigger the crash. All you need to do is save it as a file and try to use it as a draft in vulnerable Mutt versions.

To: victim@example.com

// Deliberately leave out Subject and Body

Steps

1. Save this content to /tmp/evil-draft.

In Mutt, run:

mutt -H /tmp/evil-draft

Watch Mutt crash!

Note: You need a Mutt version between 1.5.2 and 2.2.12 for the crash to occur.

What’s the Risk?

- Local Crash: You need to open or reply to the draft file yourself. But if you process drafts obtained from unsafe sources — or your mail server auto-generates drafts — exploit is plausible.
- No Code Execution: This vulnerability can't lead to remote code execution or data leak itself, just a crash (denial of service).
- Persistence: If you use Mutt in a service (like webmail backends or automated mail handling), a crash can disrupt service.

The Fix

This bug is patched in Mutt version 2.2.12.
The fix is simple: Mutt's developers now consistently check that pointers from draft files are not NULL before using them.

Fixed code might look like

if (draft->subject != NULL) {
    compose_message(draft->subject);
} else {
    // Handle missing subject gracefully
    compose_message("(No Subject)");
}

Upgrade Mutt!

Download the latest version from the official site or update via your system package manager:

sudo apt upgrade mutt

`
- Avoid Using Untrusted Drafts:
Only compose emails from trusted sources or drafts you created yourself.
- Double-Check before Opening Drafts:
If you must use a draft from a remote location, open it in a text editor first to check for anything strange.

---

## References & More Information

- CVE-2023-4875 on MITRE
- Mutt Security Announcements
- Upstream Git Commit *(Patch for the bug)*

---

## Conclusion

CVE-2023-4875 is a classic example of how a tiny oversight — not checking a pointer — can result in a crash. While it’s “just” a local denial of service, it’s a strong reminder: always update your software, especially tools as vital as email clients. And remember: never trust files from strangers, even if they look like harmless drafts!

Stay patched, and keep your inbox alive!

---

*Feel free to share this post with friends or colleagues who use Mutt!*

Timeline

Published on: 09/09/2023 15:15:00 UTC
Last modified on: 09/27/2023 15:19:00 UTC