I. BACKGROUND
UW-IMAP
is a popular free IMAP service for Linux and UNIX systems and
is
distributed with various Linux distributions. More information can
be
found at the vendor website:
http://www.washington.edu/imap/
II.
DESCRIPTION
Remote exploitation of a buffer overflow
vulnerability in the University
of Washington's IMAP Server (UW-IMAP)
allows attackers to execute
arbitrary code.
The vulnerability
specifically exists due to insufficient bounds
checking on user-supplied
values. The mail_valid_net_parse_work()
function in src/c-client/mail.c
is responsible for obtaining and
validating the specified mailbox name
from user-supplied data. An error
in the parsing of supplied mailbox
names will continue to copy memory
after a " character has been parsed
until another " character is found
as shown here:
long mail_valid_net_parse_work (char *name,NETMBX
*mb,char *service)
{
int i,j;
#define MAILTMPLEN
1024 /* size of a temporary
buffer */
char
c,*s,*t,*v,tmp[MAILTMPLEN],arg[MAILTMPLEN];
...snip...
if (t - v)
{ /* any
switches or port specification? */
1] strncpy (t =
tmp,v,j); /* copy it */
tmp[j] =
'\0'; /* tie it off
*/
...
if (*t == '"') {
/* quoted string? */
2] for (v = arg,i = 0,++t;
(c = *t++) != '"';) { /* Vulnerability
*/
/* quote next character */
if
(c == '\\') c = *t++;
arg[i++] = c;
}
If an
attacker supplys only one " character, the function will continue
to
copy bytes to the new pointer, overflowing the stack buffer and
resulting in arbitrary code execution.
III.
ANALYSIS
Successful exploitation of the vulnerability will
result in the
execution of arbitrary code with permissions of the IMAP
server. The
impact of this vulnerability is slightly reduced due to the
requirement
of valid credentials, however IMAP servers commonly are
used for free
webmail systems and other services which may give
untrusted users valid
credentials. Networks that restrict IMAP service
access to trusted
users are at low risk.
IV.
DETECTION
iDEFENSE has confirmed the existence of this
vulnerability in Washington
University imap-2004c1.
The
following vendors include susceptible UW-IMAP packages within their
respective operating system distributions:
-
FreeBSD Project: FreeBSD 5.x
- Gentoo Foundation
Inc.: Gentoo 2005.x
- Debian Project: Linux
3.x
- Red Hat, Inc.: Fedora Core
1
- Mandrakesoft SA: Mandriva Linux
9.x
- Novell Inc.: SuSE Linux 9.x
V. WORKAROUND
iDEFENSE
is unaware of any valid workarounds for this issue. Restrict
untrusted
users from the IMAP service until the vendor releases a
patch.
VI. VENDOR RESPONSE
"The fix is
in the following patch to imap-????/src/c-client/mail.c:
------------------------------Cut
Here----------------------------------
*** mail.c 2005/03/17 00:12:22
1.6
--- mail.c 2005/09/15 16:48:46
***************
*** 691,698
****
--- 691,700
----
if (c == '=') {
/* parse switches which take arguments */
if (*t == '"') {
/* quoted string? */
for (v = arg,i = 0,++t; (c =
*t++) != '"';) {
+ if (!c) return NIL; /*
unterminated string */
/* quote next character
*/
if (c == '\\') c = *t++;
+
if (!c) return NIL; /* can't quote NUL either
*/
arg[i++] = c;
}
c = *t++; /* remember delimiter for later
*/
------------------------------Cut
Here----------------------------------
This fix is in UW
release imap-2004g, which is available from as the
current release
version on:
ftp://ftp.cac.washington.edu/mail/imap.tar.Z
IMPACT
ANALYSIS:
The vulnerability is in the c-client library,
which is used by the IMAP
server.
The main impact of a successful
exploit in the IMAP server is that an
authorized user can execute
arbitrary code, including gaining shell
access, on the server. The
code is executed with the authorized user's
userid.
A successful
exploit in the IMAP server does NOT allow root access.
UW imapd has
an optional facility for anonymous access; this feature
must be enabled
specifically by the site and is rarely-enabled. Due to
a security
check specific to anonymous IMAP access, anonymous IMAP users
can NOT
exploit this vulnerability.
In the absence of data to the contrary,
I believe that this
vulnerability is LOW risk to servers which permit
shell access to
authorized users; and is of LOW-MODERATE risk
(unauthorized shell access
to authorized users) to other
servers.
The vulnerability impacts all applications which use the
c-client
library, even if these applications do not use IMAP. In
the IMAP server
and most MUAs, the application runs with the user's
credentials which
reduces the overall risk. If the application
runs with other
credentials (e.g., webmail systems), the vulnerability
may be of higher
risk."
VII. CVE
INFORMATION
The Common Vulnerabilities and Exposures (CVE)
project has assigned the
name CAN-2005-2933 to this issue. This is a
candidate for inclusion in
the CVE list (http://cve.mitre.org), which
standardizes names for
security problems.
VIII.
DISCLOSURE TIMELINE
09/15/2005 Initial vendor
notification
09/15/2005 Initial vendor
response
10/04/2005 Coordinated public
disclosure
IX.
CREDIT
infamous41md@hotpop.com is credited with discovering
this vulnerability.
Get paid for vulnerability
research
http://www.idefense.com/poi/teams/vcp.jsp
Free tools,
research and upcoming events
http://labs.idefense.com
X.
LEGAL NOTICES
Copyright (c) 2005 iDEFENSE,
Inc.
Permission is granted for the redistribution of this
alert
electronically. It may not be edited in any way without the
express
written consent of iDEFENSE. If you wish to reprint the whole or
any
part of this alert in any other medium other than electronically,
please
email customerservice@idefense.com for
permission.
Disclaimer: The information in the advisory is believed
to be accurate
at the time of publishing based on currently available
information. Use
of the information constitutes acceptance for use in an
AS IS condition.
There are no warranties with regard to this
information. Neither the
author nor the publisher accepts any liability
for any direct, indirect,
or consequential loss or damage arising from
use of, or reliance on,
this information.
