TUCoPS :: Unix :: General
:: unix5342.htm
Wu-imapd remote buffer overflow
13th May 2002 [SBWID-5342]
COMMAND
Wu-imapd remote buffer overflow
SYSTEMS AFFECTED
WU-IMAP 2000.283 default install
WU-IMAP 2000.284 default install
WU-IMAP 2000.287 default install
WU-IMAP 2001.315 compiled with RFC 1730 support
PROBLEM
Marcell Fodor [http://mantra.freeweb.hu] says :
A bug in imapd.c code leads to internal buffer overflow. It may happen
when the user ask for fetching partial mailbox attributes.
request will cause server to SIG11 :
A0666 PARTIAL 1
BODY[AAA...1052bytes..AAA] 1 1
Affected code :
imapd.c
-------
int main (int argc,char *argv[])
{
unsigned long i,uid;
long f;
char *s,*t,*u,*v,tmp[MAILTMPLEN];
.
.
.
else if (!strncmp (t,\"BODY[\",5) && (v = strchr(t+5,\']\')) &&
!v[1]){
strncpy (tmp,t+5,i = v - (t+5));
.
.
.
else if (!strncmp (t,\"BODY.PEEK[\",10) &&
(v = strchr (t+10,\']\')) && !v[1]) {
strncpy (tmp,t+10,i = v - (t+10));
.
.
.
-------
The bug is very similar to the one found in Kerberos4 ftp client. No
bound check prior moving user supplied data. Since the attacker
overwrites the server\'s main stack, overflow will occur when the user
logs out.
SOLUTION
Patch for the problem:
556,557c556,558
< else if (!strncmp (t,\"BODY[\",5) && (v = strchr(t+5,\']\')) && !v[1]){
< strncpy (tmp,t+5,i = v - (t+5));
---
> else if (!strncmp (t,\"BODY[\",5) && (v = strchr(t+5,\']\')) &&
> !v[1] && ((i = v - (t+5)) < MAILTMPLEN)){
> strncpy (tmp,t+5,i);
563,564c564,566
< (v = strchr (t+10,\']\')) && !v[1]) {
< strncpy (tmp,t+10,i = v - (t+10));
---
> (v = strchr (t+10,\']\')) && !v[1] &&
> ((i = v - (t+10)) < MAILTMPLEN)) {
> strncpy (tmp,t+10,i);