[4247] in bugtraq
Re: Security hole in imapd - pine 3.96 affected?
daemon@ATHENA.MIT.EDU (Aleph One)
Wed Apr 9 02:44:47 1997
Date: Wed, 9 Apr 1997 01:33:32 -0500
Reply-To: Aleph One <aleph1@DFW.NET>
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
+---
| From mrc@cac.washington.edu Tue Apr 8 09:26:34 1997
| Date: Tue, 4 Mar 1997 15:22:05 -0800
| From: Mark Crispin <mrc@cac.washington.edu>
| To: pine-info@cac.washington.edu
| Subject: Re: Pine 3.96
|
| On 4 Mar 1997, Jody Housman wrote:
| > After building 3.96, I checked log_std.c code, and it appears to be the
| > same as what SNI calls the flawed code. Has the security hole been fixed
| > in some other way such as increasing the size of the username buffer?
|
| Yes. Instead of changing the flawed code, there is a booby trap in 3.96
| to catch people who try to exploit it. Attempts to trigger the security
| hole will never get to the flawed code, but will cause a "Crack attempt"
| syslog alert. Also, the advertised banner did not change in 3.96, to make
| it difficult for a bad guy to tell the difference between a vulnerable
| 3.95 server and a non-vulnerable 3.96 server.
|
| Perhaps knowledge this might deter bad guys from trying to exploit this
| bug. Then again, those of us who have a life have a hard time in
| fathoming the thought processes of those who do not.
|
| In the as-yet unreleased Pine 4.0 (and the current released imap-4.1
| toolkit), the banners changed, so there seemed to be no point in having
| the booby trap. The flawed code is gone entirely in this version.
|
| Unless you have a special reason to continue to run IMAP2bis based
| servers, I recommend that you run the servers in the imap-4.1 toolkit:
| ftp://ftp.cac.washington.edu/mail/imap.tar.Z
| since this version supports IMAP4rev1 and POP3 with UIDL.
|
| -- Mark --
|
| Unsolicited commercial email is NOT welcome at this email address.
+---
