[UNIX] UW-IMAP Netmailbox Name Parsing Buffer Overflow

• Previous message: SecuriTeam: "[NT] Symantec AntiVirus Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 6 Oct 2005 15:46:23 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  UW-IMAP Netmailbox Name Parsing Buffer Overflow
------------------------------------------------------------------------

SUMMARY

" <http://www.washington.edu/imap/> UW-IMAP is a popular free IMAP service
for Linux and UNIX systems and is distributed with various Linux
distributions."

A buffer overflow vulnerability in UW-IMAP netmailbox name parsing allows
attackers to cause the product to execute arbitrary code.

DETAILS

Vulnerable Systems:
 * UW-IMAP Netmailbox version imap-2004c1

Immune Systems:
 * UW-IMAP Netmailbox version imap-2004g

The vulnerability specifically exists due to insufficient bounds checking
on user-supplied values. The mail_valid_net_parse_work() function in
src/c-client/mail.c is responsible for obtaining and validating the
specified mailbox name from user-supplied data. An error in the parsing of
supplied mailbox names will continue to copy memory after a " character
has been parsed until another " character is found as shown below:

long mail_valid_net_parse_work (char *name,NETMBX *mb,char *service)
{
  int i,j;
#define MAILTMPLEN 1024 /* size of a temporary buffer */
  char c,*s,*t,*v,tmp[MAILTMPLEN],arg[MAILTMPLEN];
    
   ...snip...
    
  if (t - v) { /* any switches or port specification? */
1] strncpy (t = tmp,v,j); /* copy it */
    tmp[j] = '\0'; /* tie it off */

..

    if (*t == '"') { /* quoted string? */
2] for (v = arg,i = 0,++t; (c = *t++) != '"';) { /* Vulnerability */
                /* quote next character */
        if (c == '\\') c = *t++;
        arg[i++] = c;
      }

If an attacker supplies only one " character, the function will continue
to copy bytes to the new pointer, overflowing the stack buffer and
resulting in arbitrary code execution.

Successful exploitation of the vulnerability will result in the execution
of arbitrary code with permissions of the IMAP server. The impact of this
vulnerability is slightly reduced due to the requirement of valid
credentials, however IMAP servers commonly are used for free webmail
systems and other services which may give untrusted users valid
credentials. Networks that restrict IMAP service access to trusted users
are at low risk.

Vendor Patch:
"The fix is in the following patch to imap-????/src/c-client/mail.c:

*** mail.c 2005/03/17 00:12:22 1.6
--- mail.c 2005/09/15 16:48:46
***************
*** 691,698 ****
--- 691,700 ----
         if (c == '=') { /* parse switches which take arguments */
    if (*t == '"') { /* quoted string? */
      for (v = arg,i = 0,++t; (c = *t++) != '"';) {
+ if (!c) return NIL; /* unterminated string */
       /* quote next character */
        if (c == '\\') c = *t++;
+ if (!c) return NIL; /* can't quote NUL either */
        arg[i++] = c;
      }
      c = *t++; /* remember delimiter for later */

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2933>
CAN-2005-2933

Disclosure Timeline:
09/15/2005 - Initial vendor notification
09/15/2005 - Initial vendor response
10/04/2005 - Coordinated public disclosure

ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@lists.idefense.com> iDEFENSE Labs Security
Advisories.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Symantec AntiVirus Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]