Every now and then, we retrieve a mail with an attached winmail.dat file, which is TNEF data which includes e-mail content and files. Usually, the first thing we do is to get angry about this type of attachment, since we cannot open it immediately. Then we get one of the usual tools. to extract the data inside.
This might have not been a good idea...
tnef is one of the oldest tools to extract TNEF files and offers useful features such as ignoring incorrect checksums. We had a quick look at this tool and noticed several issues, where type confusions occurred, which lead to attacker controlled reads and writes. Furthermore there was an Integer Overflow in the allocation functions, which lead to heap overflows. Along with this we send a patch for out of bound writes and several for out of bounds reads to the vendor. Our advisory can be found here.
We strongly recommend to put ytnef in a sandbox if you are using it. Our advisory can be found here.
ktnef is not as lightweight as ytnef, and requires a lot of dependencies (127 libraries on my system) It is part of the KDE system and comes with an additional GUI tool which helps to extract files. Clamav seems to use code from ktnef to parse files as well as KDE PIM.
In ktnef we found several crashers (mostly uncaught exceptions which do not seem security relevant) and the same filename directory traversal issue as in ytnef. It is the classical attack against archives and does not require a lot of technical skill to exploit. Our advisory can be found here.
While ktnef looks better from a security point of view than ytnef, it comes with a lots of dependencies, which makes it unsuitable for a lot of use cases. Somehow tnef seemed like the most interesting to invest further auditing time in once we have some spare time. Neither tool did receive a full audit from us, the issues were found during a brief look at all three projects. At the moment, we would likely refuse to open winmail.dat files from you.
We recommend to audit all tools you use, especially if you mainly use them on input provided by third parties. Or pay someone to do an audit for you * wink *