[VulnWatch] iDEFENSE Security Advisory 09.09.05: GNU Mailutils 0.6 imap4d 'search' Format String Vulnerability

From: iDEFENSE Labs (labs-no-reply_at_idefense.com)
Date: 09/09/05

  • Next message: iDEFENSE Labs: "[VulnWatch] iDEFENSE Security Advisory 09.13.05: Linksys WRT54G Router Remote Administration Fixed Encryption Key Vulnerability"
    Date: Fri, 9 Sep 2005 12:45:20 -0400
    To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>, <full-disclosure@lists.grok.org.uk>
    
    

    GNU Mailutils 0.6 imap4d 'search' Format String Vulnerability

    iDEFENSE Security Advisory 09.09.05
    www.idefense.com/application/poi/display?id=303&type=vulnerabilities
    September 09, 2005

    I. BACKGROUND

    The GNU mailutils package is a collection of mail-related
    utilities, including local and remote mailbox access services.
    More information is available at the following site:

        http://www.gnu.org/software/mailutils/mailutils.html

    II. DESCRIPTION

    Remote exploitation of a format string vulnerability in the imap4d
    server within version 0.6 of the GNU Project's Mailutils package could
    allow an authenticated attacker to execute arbitrary code.

    The imap4d server allows remote users to retrieve e-mail via the
    Internet Message Access Protocol, Version 4rev1 as specified in
    RFC3501. This is a client/server protocol supported by a large number
    of e-mail clients on multiple platforms.

    The vulnerability specifically exists in the handling of SEARCH commands
    supplied by the remote user. If a search is made containing format
    specifiers (such as %p or %s), these will be interpreted by the server,
    and returned to the user. The vulnerable code, search.c, lines 198-199,
    are shown below:

      rc = imap4d_search0 (arg, 0, buffer, sizeof buffer);
      return util_finish (command, rc, buffer);

    The vulnerability specifically occurs because the util_finish() function
    expects a format specifier in the 3rd argument, followed by any
    arguments to be formatted. Without a specifier, the function interprets
    the 3rd argument as a format specifier.

    III. ANALYSIS

    Exploitation could allow authenticated remote attackers to execute
    arbitrary commands on an affected system as the authenticated user. This

    may allow access to systems not intended to have interactive users,
    which could allow further compromise. Using format specifiers, it is
    possible to construct a sequence of commands that cause arbitrary values

    to be written to arbitrary locations, allowing arbitrary code execution.

    An example session demonstrating the vulnerability follows:

    sh-2.05b$ netcat 192.168.0.1 143
    * OK IMAP4rev1
    1 LOGIN "user" "password"
    1 OK LOGIN Completed
    2 SELECT "inbox"
    * 23 EXISTS
    * 0 RECENT
    * OK [UIDVALIDITY 1118516013] UID valididy status
    * OK [UIDNEXT 24] Predicted next uid
    * OK [UNSEEN 1] first unseen messsage
    * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
    * OK [PERMANENTFLAGS (\Answered \Deleted \Seen)] Permanent flags
    2 OK [READ-WRITE] SELECT Completed
    3 SEARCH TOPIC %08x.%08x.%08x.%08x
    3 BAD SEARCH Unknown search criterion (near
    00000040.6e6b6e55.206e776f.72616573)
    4 SEARCH TOPIC %s%s%s
    sh-2.05b$

    The result of the 'SEARCH TOPIC %08x.%08x.%08x.%08x' command contains
    values from the error string supplied to the output function. (6e6b6e55
    converts to 'Unkn', 206e776f converts to 'own ' and 72616573 converts to

    'sear'.) By referencing the values after the fixed string in the error
    message, which are under control of the attacker, and using the '%n'
    format specifier, controllable values can be written to arbitrary memory

    locations, allowing execution of arbitrary code.

    The '%s%s%s' format specifier attempts to treat the first 3 values
    (0x00000040, 0x6e6b6e55 and 0x206e776f) as strings, and causes an access

    violation error, terminating the server connection, dropping the user
    back into their shell. The main server is still active, as the server
    forks a new copy for each connection. This allows multiple exploitation
    attempts.

    IV. DETECTION

    iDEFENSE Labs has verified the existence of this vulnerability in
    versions 0.6 of the GNU Mailutils package. It is suspected that any
    previous versions that contain the imap4d server are also affected.

    V. WORKAROUND

    iDEFENSE is currently unaware of any effective workarounds for this
    issue. Access to the affected host should be filtered at the network
    boundary if global accessibility is not required. Restricting access to
    only trusted hosts and networks may reduce the likelihood of
    exploitation.

    VI. VENDOR RESPONSE

    A vendor advisory for this issue is available at:

    http://savannah.gnu.org/patch/index.php?func=detailitem&item_id=4407

    A patch is available at:

    http://savannah.gnu.org/patch/download.php?item_id=4407&item_file_id=516
    0

    VII. CVE INFORMATION

    A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
    been assigned yet.

    VIII. DISCLOSURE TIMELINE

    09/08/2005 Initial vendor notification
    09/09/2005 Initial vendor response
    09/09/2005 Coordinated public disclosure

    IX. CREDIT

    The discoverer of this vulnerability wishes to remain anonymous.

    Get paid for vulnerability research
    http://www.idefense.com/poi/teams/vcp.jsp

    Free tools, research and upcoming events
    http://labs.idefense.com

    X. LEGAL NOTICES

    Copyright (c) 2005 iDEFENSE, Inc.

    Permission is granted for the redistribution of this alert
    electronically. It may not be edited in any way without the express
    written consent of iDEFENSE. If you wish to reprint the whole or any
    part of this alert in any other medium other than electronically, please
    email customerservice@idefense.com for permission.

    Disclaimer: The information in the advisory is believed to be accurate
    at the time of publishing based on currently available information. Use
    of the information constitutes acceptance for use in an AS IS condition.
    There are no warranties with regard to this information. Neither the
    author nor the publisher accepts any liability for any direct, indirect,
    or consequential loss or damage arising from use of, or reliance on,
    this information.


  • Next message: iDEFENSE Labs: "[VulnWatch] iDEFENSE Security Advisory 09.13.05: Linksys WRT54G Router Remote Administration Fixed Encryption Key Vulnerability"

    Relevant Pages