TUCoPS :: Unix :: General
:: unix5425.htm
imap-uw remote file access
11th Jun 2002 [SBWID-5425]
COMMAND
imap-uw remote file access
SYSTEMS AFFECTED
All versions
PROBLEM
In Security.NNOV advisory
[http://www.security.nnov.ru/advisories/courier.asp]:
Imap-uw allows user to access any file he could access locally. It\'s
not a bug it\'s insecurity by design (it was not created with security
in mind ;-). According FAQ from vendor\'s web site (it\'s not mentioned
in a FAQ inside program distribution):
-=-=-=-=-=-=-
5.1 I see that the IMAP server allows access to arbitary files on the
system, including /etc/passwd! How do I disable this?
You should not worry about this if your IMAP users are allowed shell access.
The IMAP server does not permit any access that the user can not have via
the shell. If, and only if, you deny your IMAP users shell access, you
may want to consider one of three choices. Note that these choices
reduce IMAP functionality, and may have undesirable side effects.
Each of these choices involves an edit to file src/osdep/unix/env_unix.c
The first (and recommended) choice is to set restrictBox as described in
file CONFIG. This will disable access to the filesystem root, to other
users\' home directory, and to superior directory.
The second (and strongly NOT recommended) choice is to set closedBox as
described in file CONFIG. This puts each IMAP session into a so-called
\"chroot jail\", and thus setting this option is extremely dangerous;
it can make your system much less secure and open to root compromise
attacks. So do not use this option unless you are absolutely certain that
you understand all the issues of a \"chroot jail.\"
The third choice is to rewrite routine mailboxfile() to implement whatever
mapping from mailbox name to filesystem name (and restrictions)
that you wish. This is the most general choice. As a guide, you can
see at the start of routine mailboxfile() what the restrictBox choice
does.
-=-=-=-=-=-
It should be noted that restrictBox/closedBox is not described in neither
CONFIG nor any other document from program distribution at all (as for
imap-2001a)... And even if you smart enough to check the FAQ on the web
site after you red the FAQ in source distribution restrictBox can be
bypassed in case of any Windows builds (for example http://sourceforge.net/projects/uw-imap-cygwin/)
because \'\\\\\' symbol is never checked. Hope nobody uses UW under NT
or a version from OS ports distribution in production environment
because as far as I can see port maintainers do not change the value of
closedBox :).
I\'m not sure if there are utilities to access file system via imap-uw,
a created a small set of tools you can download imaptools.tgz from
http://www.security.nnov.ru/search/news.asp?binid=2063
it includes:
imapget.c - to retrieve file via imap-uw, usage example:
imapget imap.host.name /etc/passwd> passwd
it should work for both text and binary files.
imapls.c - to get a file listing, usage example:
imapls imaphostname /tmp/\\*> ls-tmp
imaprm.c, imapmkdir.c - hope you catch the idea.
it\'s also possible to create file with any name in mailbox format.
SOLUTION
see upper.