101341 2003-05-14 21:39 /87 rader/ Timo Sirainen <tss@iki.fi>
Importerad: 2003-05-14 21:39 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4891>
Ärende: Buffer overflows in multiple IMAP clients
------------------------------------------------------------
There's two common vulnerabilities in IMAP clients written with C and
C++:
1. Handling huge literal sizes. Many clients do
malloc(literal_size+1) and then read the literal into it. Problem is
that if literal_size is UINT_MAX-1, the +1 overflows it into
malloc(0) but server is still allowed to write UINT_MAX-1 bytes of
data there. There may also be similiar problems if literal size is
read into signed integer which causes it to become negative. Some
clients use atoi(), so giving -1 as literal size is equilevant to
giving UINT_MAX-1.
IMAP servers can also be vulnerable to this one if they're not
careful.
2. Handling huge mailbox sizes (ie. huge value in EXISTS reply). Many
clients do malloc(messages_count * sizeof(struct message)) and read
data into it.
Exploiting
----------
Exploiting these requires that client connects to malicious IMAP
server. Some social engineering (eg. anonymous IMAP access for
mailing lists, announcing "free" IMAP servers, etc.) or
man-in-the-middle techniques should do it.
Using SSL/TLS could prevent MitM, but STARTTLS might not be enough
since client could have already parsed malicious data before
beginning the TLS negotiation.
UW-imapd can also act as IMAP client, allowing user to connect to
specified server. It is disabled for anonymous users, but allowed for
everyone else (even with closedBox, blackBox or restrictBox
enabled). So exploiting it could give you access to the system as the
logged in user.
Vulnerabile clients
-------------------
crash: Just crashes because it tries to memcpy() >2GB of data
limited: Values that can be written past buffer are limited
full: Anything can be written past buffer
| 1 | 2 |
---------------------------------------------------------------------
c-client | crash | full | Pine, UW-imapd
Evolution | full | - |
kmail | - | - | Nothing obvious at least
Mozilla | full | - (1) |
mutt | - | limited(2) | Balsa also includes mutt's IMAP code
Sylpheed | crash | - |
OE6 | crash(3)| - |
Eudora | full | - | "..0x41414141 .. could not be written"
1) *Maybe* with 64bit systems after you have already sent about 1
billion messages to Mozilla.
2) Allows writing pointers to malloc()ed data. Maybe also
sequentially growing numbers from 1. I couldn't think of a way to
exploit these with GLIBC.
3) Gives quite random behaviour. It seems to be crashing when trying
to copy 4GB of data, but the addresses are always different and
sometimes it's actually trying to read/write data at address sent by
client. Anyway, Microsoft said it was only DoS, and it does seem so.
Vulnerable versions
-------------------
imap-2002b and Pine 4.53 are vulnerable. imap-2002c is fixed.
Evolution 1.2.4 is vulnerable. 1.3.2 (beta) is fixed.
Mozilla 1.3 and 1.4a are vulnerable. 1.3.1 and 1.4b fixed 1).
mutt 1.4.1 and Balsa 2.0.10 are "vulnerable". Doesn't look
exploitable, don't worry too much about it.
Sylpheed 0.8.11 (including -claws) is "vulnerable". Just a crash,
don't worry about it.
Outlook Express 6.00.2800.1106 was tested to be
"vulnerable". Apparently just a crash. Fix is in next OE service pack.
Eudora 5.2.1 is vulnerable. No replies to bug report I sent.
(101341) /Timo Sirainen <tss@iki.fi>/-----(Ombruten)