[16289] in bugtraq
mailbox format incopatibility in (WU)imap with mail.local
daemon@ATHENA.MIT.EDU (3APA3A)
Fri Aug 18 02:30:24 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <17928.000815@SECURITY.NNOV.RU>
Date: Tue, 15 Aug 2000 22:16:39 +0400
Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
Hello,
It's not big, but interesting security hole. In fact neither
mail.local nor imap has any bugs, but the problem rises from the
fact there is no clear format for Unix mailbox. Since I think
mail.local has more suitable mailbox format I decided to report
problem as imap problem. May be I'm wrong.
Thanks to w00w00 and USSR Labs. And sorry for my bad English.
-=-=-=-=-=-=-=-=-=-=-
Title : mailbox format incompatibility in (WU)imap with
mail.local
Authors : 3APA3A@security.nnov.ru, agk@sandy.ru
Impact : malicious user can put message with faked headers
in user's mailbox bypassing virus protection,
buffer overflow protection and another MTA/MDA
filters. Also imap itself or MUA can be DoS'ed by
the way shown below.
Software : imapd-4.7c and prior versions then combined with
mail.local and probably some another MDAs
OS : *BSD, may be others
Vendor Status : Mark Crispin and Sendmail notified, no satisfying
solution yet provided.
Details:
Then delivering message to user's mailbox mail.local believes, that
messages are delimited by empty line followed by "From " header. If
this combination found in message text it will be commented out. Yet
imap, while parsing user's mailbox relies only on "From " header in
special format and doesn't check empty line. This makes it possible
to put faked message with faked RFC-822 header (including all
Received: fields) in user's mailbox using properly formatted "From "
header after non-empty line. This can be used both for sending
spoofed messages and DoS'ing user's mailbox by emulating a huge
number of messages.
Exploitation:
Shell string below send a single approx. 2.5 Mb message. After
delivering imap will think there is more then 70,000 messages in
user's mailbox.
perl -e 'print "1\nFrom user Wed Dec 2 05:53:22 1992\n\n"x70000' |\
mail -s "Oooops I did it again" victim
Then this 70,000 messages are received with MUA, MUA usually fails
(mostly because of memory problems). Was tested with The Bat! and
Netscape. After that on FreeBSD 3.2 PIII 128Mb box I noticed next
behavior: ipop3 (imapd was not tested) freezes in sbwait state,
locking 99% CPU and amount of memory (much more then message size
itself). After 30 minutes situation has not changed.
Patch:
One is for imapd-4.7c. It was not excessively tested and may be not
complete, but believed to close this very hole.
*** unix.c.old Wed Feb 23 03:43:30 2000
--- unix.c Thu Aug 10 12:58:19 2000
***************
*** 1048,1053 ****
--- 1048,1054 ----
unsigned long i,j,k,m;
char c,*s,*t,*u,tmp[MAILTMPLEN],date[30];
int ti = 0,pseudoseen = NIL,retain = T;
+ int wasempty;
unsigned long nmsgs = stream->nmsgs;
unsigned long prevuid = nmsgs ? mail_elt (stream,nmsgs)->private.uid : 0;
unsigned long recent = stream->recent;
***************
*** 1389,1404 ****
k = m = 0; /* no previous line size yet */
/* note current position */
j = LOCAL->filesize + GETPOS (&bs);
if (i) do { /* look for next message */
s = unix_mbxline (stream,&bs,&i);
if (i) { /* got new data? */
! VALID (s,t,ti,zn); /* yes, parse line */
if (!ti) { /* not a header line, add it to message */
elt->rfc822_size +=
k = i + (m = (((i < 2) || s[i - 2] != '\r') ? 1 : 0));
/* update current position */
j = LOCAL->filesize + GETPOS (&bs);
}
}
} while (i && !ti); /* until found a header */
elt->private.msg.text.text.size = j -
--- 1390,1408 ----
k = m = 0; /* no previous line size yet */
/* note current position */
j = LOCAL->filesize + GETPOS (&bs);
+ wasempty = 1;
if (i) do { /* look for next message */
s = unix_mbxline (stream,&bs,&i);
if (i) { /* got new data? */
! if (wasempty) VALID (s,t,ti,zn); /* yes, parse line */
if (!ti) { /* not a header line, add it to message */
elt->rfc822_size +=
k = i + (m = (((i < 2) || s[i - 2] != '\r') ? 1 : 0));
/* update current position */
j = LOCAL->filesize + GETPOS (&bs);
}
+ if ( *s == '\n') wasempty = 1;
+ else wasempty = 0;
}
} while (i && !ti); /* until found a header */
elt->private.msg.text.text.size = j -
http://www.security.nnov.ru
/\_/\
{ . . } |\
+--oQQo->{ ^ }<-----+ \
| 3APA3A U 3APA3A }
+-------------o66o--+ /
|/
You know my name - look up my number (The Beatles)
