[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Remote vulnerability in pop2d
From:       Chris Evans <chris () FERRET ! LMH ! OX ! AC ! UK>
Date:       1999-05-26 19:37:13
[Download RAW message or body]

Hi

Firstly, sorry if any details are hazy - this is from memory (it's two
months since I last looked at this). This bug concerns the pop-2 daemon,
which is a part of the Washington University imap package.

I've been waiting for a CERT advisory, but one doesn't seem to be
forthcoming. Two and a half months is a long time. Also, the problem has
been fixed for a long time. I'm posting because

a) A fixed full release is available, so people should know about it
b) The flaw is fairly basic and easy to spot, so active exploitation could
well be happening

Quick details
=============

Compromise possible:  remote users can get a shell as user "nobody"
If:                   runing pop-2d v4.4 or earlier

Fixed version:        imap-4.5, available now.


Not vulnerable
==============
RedHat-6.0 isn't vulnerable because imap-4.5 was shipped.

Vulnerable
==========

Anyone who shipped the pop-2 component of imap-4.4 or earlier, including
earlier RedHat releases


Details of flaw
===============

pop-2 and pop-3 support the concept of an "anonymous proxy" whereby remote
users can connect and open an imap mailbox on _any server they have a
valid account on_. An attacker connects to the vulnerable pop-2 port and
connects it to an imap server under their control. Once logged on, issuing
a "FOLD" command with a long arg will cause an overflow of a stack based
buffer.

The arg to FOLD must be somewhere around 1000 bytes - not much bigger, not
much smaller. Look at the source.

Additional
==========

I think the concept of "anonymous proxy" is just fundamentally insecure.
It opens up a large code path for remote usrs to explore, i.e. the
protocol parsing of imap, etc.

The author of imap very responsibly includes a compile time flag to
disable this in 4.5.

Better still, RedHat-6.0 ships with the proxy disabled.


Cheers
Chris

[prev in list] [next in list] [prev in thread] [next in thread]