[UNIX] Cyrus IMSP Remote Root Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 12/18/03

  • Next message: SecuriTeam: "[NT] Doro Allows Gaining Administrative Privileges"
    To: list@securiteam.com
    Date: 18 Dec 2003 12:46:31 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Cyrus IMSP Remote Root Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    Cyrus IMSP is a implementation of the
    <http://asg.web.cmu.edu/cyrus/rfc/imsp.html> IMSP protocol. The Internet
    Message Support Protocol (IMSP) is "designed to support the provision of
    mail in a medium to large scale operation. It is intended to be used as a
    companion to the IMAP4 protocol [IMAP4], providing services which are
    either outside the scope of mail access or which pertain to environments
    which must run more than one IMAP4 server in the same mail domain. The
    services that IMSP provides are extended mailbox management, configuration
    options, and address books".

    There is a remotely exploitable buffer overflow in the Cyrus IMSPd. The
    vulnerability can be triggered before authentication. The IMSP daemon is
    required to run as root.

    DETAILS

    Vulnerable systems:
     * IMSP versions 1.4, 1.5a6, 1.6a3, and 1.7

    Immune systems:
     * IMSP versions 1.6a4, and 1.7a

    In the function abook_dbname, a sprintf() call takes place. The function
    takes two char pointers (dbname and name), which are later used in the
    sprintf() call:
      sprintf(dbname, abookdb, ownerlen, name, name);

    abookdb is defined as
      static char abookdb[] = "user/%.*s/abook.%s";

    Several functions in the code use abook_dbname() and supply a local char
    buffer of 256 bytes as first argument to the function. Since the second
    argument "name" is controlled by the user in several protocol messages, a
    remotely exploitable buffer overflow is created.

    Solution:
    Andrew Systems Group has released new versions. Older versions are no
    longer supported.
     <ftp://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.6a4.tar.gz>
    ftp://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.6a4.tar.gz
     <ftp://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.7a.tar.gz>
    ftp://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.7a.tar.gz

    And
     <http://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.6a4.tar.gz>
    http://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.6a4.tar.gz
     <http://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.7a.tar.gz>
    http://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.7a.tar.gz

    Vendor communication:
     08.12.2003 Initial notification
     08.12.2003 Rob Siemborski answers
     08.12.2003 Rob Siemborski sends a patch
     09.12.2003 n.runs tests the patch and finds it to be correct
     09.12.2003 CERT VU# assigned
     12.12.2003 Rob Siemborski sends the new versions
     15.12.2003 public release

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:felix.lindner@nruns.com>
    Felix Lindner.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Doro Allows Gaining Administrative Privileges"

    Relevant Pages

    • [UNIX] PPPd DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Point-to-Point Protocol for Unix systems". ... It reads in the packet at line 932, ... The loop continues processing the packet as long as len is!= 0. ...
      (Securiteam)
    • [NEWS] Oracle Native Authentication Version 9i and 10g
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Oracle's Native Authentication algorithm has been changed in version 9i ... papers covered the 8i version of the protocol which is used by the thin ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [TOOL] Protowalk: Generic Protocol Fuzzer and Protocol Testing Tool
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Generic Protocol Fuzzer and Protocol Testing Tool ... Protowalk is a tool that has been created to allow for developers, ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [TOOL] PktAnon - Packet Trace Anonymization Tool
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PktAnon supports a large number of protocol and anonymization primitives. ...
      (Securiteam)