[UNIX] Cyrus Sieve / libSieve Buffer Overflow

• Previous message: support@securiteam.com: "[NEWS] ShopFactory Shopping Cart Price Manipulation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 5 Dec 2002 21:02:26 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Cyrus Sieve / libSieve Buffer Overflow
------------------------------------------------------------------------

SUMMARY

Cyrus' Sieve implementation has been found to contain multiple buffer
overflow vulnerabilities. These overflows allow remote attackers to cause
the program to execute arbitrary code.

DETAILS

Vulnerable systems:
 * Versions up to libSieve 2.1.2 and Cyrus IMAP 2.1.10 are affected.

Cyrus' Sieve implementation contains a couple of classic string based
buffer overflows in script parsing code. Anyone who can execute Sieve
scripts can exploit these bugs.

Note that with Cyrus IMAP server exploiting this gives you the privileges
of Cyrus user, capable of reading all users mails.

Problem comes when giving the script a >100 chars long corrupted header
name, >100 chars long IMAP flag or a script that contains lots of errors
to overflow the 500 char limit in error message.

Fix:
Apply the included patch. Note that this changes only the yacc files, you
still need to generate .c files from them. libSieve 2.1.3 will hopefully
also contain some more hardening against potential buffer overflows.

diff -ru cyrus-imapd-2.1.10-old/sieve/addr.y
cyrus-imapd-2.1.10/sieve/addr.y
--- cyrus-imapd-2.1.10-old/sieve/addr.y 2002-10-28 18:30:18.000000000
+0200
+++ cyrus-imapd-2.1.10/sieve/addr.y 2002-12-02 04:52:58.000000000 +0200
@@ -82,8 +82,9 @@
 /* copy address error message into buffer provided by sieve parser */
 int yyerror(char *s)
 {
-extern char addrerr[];
+extern char addrerr[512];
 
- strcpy(addrerr, s);
+ strncpy(addrerr, s, sizeof(addrerr)-1);
+ addrerr[sizeof(addrerr)-1] = '\0';
     return 0;
 }
diff -ru cyrus-imapd-2.1.10-old/sieve/sieve.y
cyrus-imapd-2.1.10/sieve/sieve.y
--- cyrus-imapd-2.1.10-old/sieve/sieve.y 2002-05-14 19:51:50.000000000
+0300
+++ cyrus-imapd-2.1.10/sieve/sieve.y 2002-12-02 03:57:17.000000000 +0200
@@ -810,7 +810,7 @@
     addrptr = s;
     addrerr[0] = '\0'; /* paranoia */
     if (addrparse()) {
- sprintf(errbuf, "address '%s': %s", s, addrerr);
+ snprintf(errbuf, sizeof(errbuf), "address '%s': %s", s, addrerr);
  yyerror(errbuf);
  return 0;
     }
@@ -835,7 +835,7 @@
     ; controls, SP, and
     ; ":". */
  if (!((*h >= 33 && *h <= 57) || (*h >= 59 && *h <= 126))) {
- sprintf(errbuf, "header '%s': not a valid header", hdr);
+ snprintf(errbuf, sizeof(errbuf), "header '%s': not a valid header",
hdr);
      yyerror(errbuf);
      return 0;
  }
@@ -853,14 +853,14 @@
  if (strcmp(f, "\\seen") && strcmp(f, "\\answered") &&
      strcmp(f, "\\flagged") && strcmp(f, "\\draft") &&
      strcmp(f, "\\deleted")) {
- sprintf(errbuf, "flag '%s': not a system flag", f);
+ snprintf(errbuf, sizeof(errbuf), "flag '%s': not a system flag", f);
      yyerror(errbuf);
      return 0;
  }
  return 1;
     }
     if (!imparse_isatom(f)) {
- sprintf(errbuf, "flag '%s': not a valid keyword", f);
+ snprintf(errbuf, sizeof(errbuf), "flag '%s': not a valid keyword", f);
  yyerror(errbuf);
  return 0;
     }

ADDITIONAL INFORMATION

The information has been provided by <mailto:tss@iki.fi> Timo Sirainen.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[NT] Windows XP Disclosure of Registered AP Information"
• Previous message: support@securiteam.com: "[NEWS] ShopFactory Shopping Cart Price Manipulation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages new syslogd option for adding local timestamp ... I ported the -T option from netbsd syslogd.c to freebsd syslog. ... "Add a -T flag to syslogd, which causes it to use local time for ... -printline(const char *hname, char *msg) ... +Always use the local time and date for messages received from the ... (freebsd-hackers) Re: Red From header ... existing "Overdue" automatic formatting rule you have. ... you'd be the one to set the flag on the message before ... >>> When you say "in the header" are you really talking about the entry ... (microsoft.public.outlook.general) Re: [RFC] cpuset relative memory policies - second choice ... the mpol_nodemask_mode already is char. ... It doesn't manage this flag ... get_mempolicy call was to reduce the likely rate of bugs in user ... a bitmask that they calculated using Choice B node numbering, ... (Linux-Kernel) Re: fetch extension - use local filename from content-dispositionheader (new diff) ... >> Content-Disposition header after a basic safey check. ... >> Now this flag takes an expected filename as an argument. ... As for the ABI incompatibility (now that you at least admit it's the ... Personally I wouldn't bother since all two clients using libfetch ... (freebsd-current) [RFC/PATCH] Per-device parameter support (4/16) ... They appear as boolean parameter to the outside, ... specified flag to flags when the specified boolean value is 1 and 0 ... +int param_array(const char *name, const char *val, ... (Linux-Kernel)