wu-imap buffer overflow condition

From: Marcell Fodor (m.fodor@mail.datanet.hu)
Date: 05/10/02

• Previous message: Corey J. Steele: "Re: cqure.net.20020412.bordermanager_36_mv1.a"
• Next in thread: Jeff Franklin: "Re: wu-imap buffer overflow condition"
• Reply: Jeff Franklin: "Re: wu-imap buffer overflow condition"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 10 May 2002 15:27:13 -0000
From: Marcell Fodor <m.fodor@mail.datanet.hu>
To: bugtraq@securityfocus.com

('binary' encoding is not supported, stored as-is)

10.05.2002
SECURITY BUG REPORT

Affected version:

    * WU-IMAP 2000.283 default install
    * WU-IMAP 2000.284 default install
    * WU-IMAP 2000.287 default install
    * WU-IMAP 2001.315 compiled with RFC 1730 support

Overview:

Wu-imapd is an easy to set-up IMAP daemon created and
distributed by Washington University. Malicious user is able
to construct a malformed request which will overflow an
internal buffer, and run code on the server with uid/gid of
the e-mail owner. The vulnerability mainly affects free
e-mail providers/mail servers where the user has no shell
access to the system.

Description:

The bug in imapd.c code leads to internal buffer overflow.
It may happen when the user ask for fetching partial mailbox
attributes.

    request will cause server to SIG11 : A0666 PARTIAL 1
BODY[AAA...1052bytes..AAA] 1 1

imapd.c
-------
int main (int argc,char *argv[])
{
  unsigned long i,uid;
  long f;
  char *s,*t,*u,*v,tmp[MAILTMPLEN];
.
.
.

else if (!strncmp (t,"BODY[",5) && (v = strchr(t+5,']')) &&
!v[1]){
          strncpy (tmp,t+5,i = v - (t+5));
.
.
.
else if (!strncmp (t,"BODY.PEEK[",10) &&
             (v = strchr (t+10,']')) && !v[1]) {
          strncpy (tmp,t+10,i = v - (t+10));
.
.
.
-------

The bug is very similar to the one found in Kerberos4 ftp
client. No bound check prior moving user supplied data.
Since the attacker overwrites the server's main stack,
overflow will occur when the user logs out.

Marcell Fodor
-------------
e-mail: m.fodor@mail.datanet.hu
web: http://mantra.freeweb.hu

---

• Previous message: Corey J. Steele: "Re: cqure.net.20020412.bordermanager_36_mv1.a"
• Next in thread: Jeff Franklin: "Re: wu-imap buffer overflow condition"
• Reply: Jeff Franklin: "Re: wu-imap buffer overflow condition"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Gadu-Gadu several vulnerabilities ... Several vulnerabilities were discovered ranging from heap and stack ... of Gadu-Gadu application. ... There is a buffer overflow in the code portion handling sending of images. ... This bug works with the newest build of the ... (Bugtraq) Gadu-Gadu several vulnerabilities ... Several vulnerabilities were discovered ranging from heap and stack ... of Gadu-Gadu application. ... There is a buffer overflow in the code portion handling sending of images. ... This bug works with the newest build of the ... (Full-Disclosure) [Full-Disclosure] Gadu-Gadu several vulnerabilities ... Several vulnerabilities were discovered ranging from heap and stack ... of Gadu-Gadu application. ... There is a buffer overflow in the code portion handling sending of images. ... This bug works with the newest build of the ... (Full-Disclosure) 0verkill - little simple vulnerability. ... There is simple buffer overflow bugs: ... void load_cfg ... GNU gdb 5.0 ... Now we look for second and third bug... ... (Bugtraq) [Full-Disclosure] 0verkill - little simple vulnerability. ... There is simple buffer overflow bugs: ... void load_cfg ... GNU gdb 5.0 ... Now we look for second and third bug... ... (Full-Disclosure)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > bugtraq  > 2002-05