|
UW-IMAP Netmailbox Name Parsing Buffer Overflow |
|
|
|
|
Sunday, 09 October 2005 |
Summary
"UW-IMAP is a popular free IMAP service for Linux and UNIX systems and is distributed with various Linux distributions."
A buffer overflow vulnerability in UW-IMAP netmailbox name parsing allows attackers to cause the product to execute arbitrary code.
Credit:
The information has been provided by iDEFENSE Labs Security Advisories.
The original article can be found at: http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities
Details
Vulnerable Systems:
* UW-IMAP Netmailbox version imap-2004c1
Immune Systems:
* UW-IMAP Netmailbox version imap-2004g
The vulnerability specifically exists due to insufficient bounds checking on user-supplied values. The mail_valid_net_parse_work() function in src/c-client/mail.c is responsible for obtaining and validating the specified mailbox name from user-supplied data. An error in the parsing of supplied mailbox names will continue to copy memory after a " character has been parsed until another " character is found as shown below:
long mail_valid_net_parse_work (char *name,NETMBX *mb,char *service)
{
int i,j;
#define MAILTMPLEN 1024 /* size of a temporary buffer */
char c,*s,*t,*v,tmp[MAILTMPLEN],arg[MAILTMPLEN];
...snip...
if (t - v) { /* any switches or port specification? */
1] strncpy (t = tmp,v,j); /* copy it */
tmp[j] = �; /* tie it off */
...
if (*t == ") { /* quoted string? */
2] for (v = arg,i = 0,++t; (c = *t++) != ";) { /* Vulnerability */
/* quote next character */
if (c == \) c = *t++;
arg[i++] = c;
}
If an attacker supplies only one " character, the function will continue to copy bytes to the new pointer, overflowing the stack buffer and resulting in arbitrary code execution.
Successful exploitation of the vulnerability will result in the execution of arbitrary code with permissions of the IMAP server. The impact of this vulnerability is slightly reduced due to the requirement of valid credentials, however IMAP servers commonly are used for free webmail systems and other services which may give untrusted users valid credentials. Networks that restrict IMAP service access to trusted users are at low risk.
Vendor Patch:
"The fix is in the following patch to imap-????/src/c-client/mail.c:
*** mail.c 2005/03/17 00:12:22 1.6
--- mail.c 2005/09/15 16:48:46
***************
*** 691,698 ****
--- 691,700 ----
if (c == =) { /* parse switches which take arguments */
if (*t == ") { /* quoted string? */
for (v = arg,i = 0,++t; (c = *t++) != ";) {
+ if (!c) return NIL; /* unterminated string */
/* quote next character */
if (c == \) c = *t++;
+ if (!c) return NIL; /* cant quote NUL either */
arg[i++] = c;
}
c = *t++; /* remember delimiter for later */
CVE Information:
CAN-2005-2933
Disclosure Timeline:
09/15/2005 - Initial vendor notification
09/15/2005 - Initial vendor response
10/04/2005 - Coordinated public disclosure
|