[14542] in bugtraq
Re: imapd4r1 v12.264
daemon@ATHENA.MIT.EDU (Sven Carstens)
Mon Apr 17 16:52:46 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Message-Id: <200004171304.PAA06635@rincewind.msc-media.de>
Date: Mon, 17 Apr 2000 15:04:41 +0200
Reply-To: Sven Carstens <s.carstens@GMX.DE>
From: Sven Carstens <s.carstens@GMX.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0004161411480.2819-100000@dione.ids.pl>
Content-Transfer-Encoding: 8bit
Am So, 16 Apr 2000 schrieb Michal Zalewski <lcamtuf@DIONE.IDS.PL>:
> Newest RH:
>
> * OK nimue IMAP4rev1 v12.264 server ready
This is the imap-4.7 package from the University of Washington.
> 1 login lcamtuf test
> 1 OK LOGIN completed
> 1 list "" AAAAAAAAAAAAAAAAAAAAAAAAAAA...[yes, a lot of 'A's ;]
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
>
To segfault the number of A´s has to in the range 1023 < #A > 8180.
If the command line including CR/LF is longer than 8192 an error message is
displayed.
The segfaults are in the nntp, mh, news and dummy driver.
In all modules the subroutine <name>_canonicalize will happily strcpy and
strcat the user supplied arguments to fixed size buffers with normally
MAILTMPLEN = 1024 bytes.
Quick work around:
- remove these modules (if you don´t require them) from the linkage list
To do this change imapd.c around line 247
remove this line:
#include "linkage.c"
and manually add the drivers and authenticators you need:
mail_link (&mboxdriver); /* link in the mbox driver */
mail_link (&imapdriver); /* link in the imap driver */
/* mail_link (&nntpdriver); /* link in the nntp driver */
mail_link (&pop3driver); /* link in the pop3 driver */
/* mail_link (&mhdriver); /* link in the mh driver */
mail_link (&mxdriver); /* link in the mx driver */
mail_link (&mbxdriver); /* link in the mbx driver */
mail_link (&tenexdriver); /* link in the tenex driver */
mail_link (&mtxdriver); /* link in the mtx driver */
mail_link (&mmdfdriver); /* link in the mmdf driver */
mail_link (&unixdriver); /* link in the unix driver */
/* mail_link (&newsdriver); /* link in the news driver */
mail_link (&philedriver); /* link in the phile driver */
/* mail_link (&dummydriver); /* link in the dummy driver */
auth_link (&auth_md5); /* link in the md5 authenticator */
auth_link (&auth_log); /* link in the log authenticator */
This list is taken from my default install. If might have extra
authenticators in your configuration. See the file
imap-4.7/c-client/linkage.c
for the drivers of your choice.
It might also be wise to remove all unneede drivers from the list to gain
speed/security.
There are shure as hell a lot more careless strcpy´s inside this code.
BTW: Looking for another library for mail folder access!
> *sigh*
>
> Privledges seems to be dropped, but, anyway, it's nice way to get shell
> access to mail account, maybe grab some data from memory etc. I believe
> both imap and ipopd packages need code security audit.
>
The security audit is really needed for all of the drivers in the c-client.
(Anyone cares for a Y2K bug in this ?)
CU Sven
