 Topic: |
UW-IMAP Netmailbox Name Parsing Buffer Overflow Vulnerability |
| Credit: |
iDEFENSE Labs |
| Date: |
2005.10.05 |
| CWE: |
N/A |
| CVE: |
CVE-2005-2933 (Show details)
Use CVE to see details like:
- CVSS2,
- Affected Software,
- References |
| Risk |
Local |
| Remote |
| High |
No |
| Yes |
UW-IMAP Netmailbox Name Parsing Buffer Overflow Vulnerability
iDEFENSE Security Advisory 10.04.05
www.idefense.com/application/poi/display?id=313&type=vulnerabilities
October 4, 2005
I. BACKGROUND
UW-IMAP is a popular free IMAP service for Linux and UNIX systems and
is distributed with various Linux distributions. More information can
be found at the vendor website:
http://www.washington.edu/imap/
II. DESCRIPTION
Remote exploitation of a buffer overflow vulnerability in the University
of Washington's IMAP Server (UW-IMAP) allows attackers to execute
arbitrary code.
The vulnerability specifically exists due to insufficient bounds
checking on user-supplied values. The mail_valid_net_parse_work()
function in src/c-client/mail.c is responsible for obtaining and
validating the specified mailbox name from user-supplied data. An error
in the parsing of supplied mailbox names will continue to copy memory
after a " character has been parsed until another " character is found
as shown here:
long mail_valid_net_parse_work (char *name,NETMBX *mb,char *service)
{
int i,j;
#define MAILTMPLEN 1024 /* size of a temporary buffer */
char c,*s,*t,*v,tmp[MAILTMPLEN],arg[MAILTMPLEN];
...snip...
if (t - v) { /* any switches or port specification? */
1] strncpy (t = tmp,v,j); /* copy it */
tmp[j] = '
[ ASCII VERSION ]
|
