Bug: UW/Panda IMAP [dt]mail buffer overflow ( Ascii Version )

Search:
WLB2

UW/Panda IMAP [dt]mail buffer overflow

Published
Credit
Risk
2008.11.11
Bitsec Labs
High
CWE
CVE
Local
Remote
CWE-119
CVE-2008-5005
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

========================================================================
=======
Bitsec Security Advisory: UW/Panda IMAP [dt]mail buffer overflow 2008-11-03
========================================================================
=======

Applications tmail/dmail in UW IMAP [2002-2007c], Panda IMAP, Alpine <= 2.00

Discovered by Aron Andersson <aron.andersson (at) bitsec (dot) com [email concealed]>,
Jan Sahlin <jan.sahlin (at) bitsec (dot) com [email concealed]>
Researched by Aron Andersson <aron.andersson (at) bitsec (dot) com [email concealed]>

Reference http://www.bitsec.com/en/rad/bsa-081103.txt
GPG Key http://www.bitsec.com/labs.asc

Overview

tmail and dmail are mail delivery agents that deliver mail to a user's INBOX
or a designated folder, specified by the folder extension in the user+folder
argument on the command line. If tmail is used for mail delivery from a
process whose UID is not the destination user, it must be installed setuid
root; dmail can be used when the process is run as the destination user.

Problem

A vulnerability exists in both applications due to missing boundary checks on
the folder extension argument from the command line. The bug can be exploited
by overflowing a stack buffer via an overly long folder name.

For tmail, this could allow for arbitrary code execution as the root user. As
mentioned the vulnerability also exists for dmail, but the impact is a bit
less critical since it usually runs as the recipient user and not root.

Depending on the mailer daemon and configuration in use, this bug may also
be remotely exploitable.

The bug is caused by the following pieces of code:
[tmail.c]
char *getusername (char *s,char **t)
{
char tmp[MAILTMPLEN];
if (*t = strchr (s,'+')) { /* have a mailbox specifier? */
*(*t)++ = '\0'; /* yes, tie off user name */
/* user+ and user+INBOX same as user */
if (!**t || !strcmp ("INBOX",ucase (strcpy (tmp,*t)))) *t = NIL;
}
return s; /* return user name */
}

[dmail.c]
int deliver (FILE *f,unsigned long msglen,char *user)
{
MAILSTREAM *ds = NIL;
char *s,*mailbox,tmp[MAILTMPLEN],path[MAILTMPLEN];
STRING st;
struct stat sbuf;
/* have a mailbox specifier? */
if (mailbox = strchr (user,'+')) {
*mailbox++ = '\0'; /* yes, tie off user name */
if (!*mailbox || !strcmp ("INBOX",ucase (strcpy (tmp,mailbox))))
mailbox = NIL; /* user+ and user+INBOX same as user */
}
(..)

The user+folder command line argument reaches deliver() and getusername()
through the char pointers 's' and 'user', respectively. The folder part is
separated from the user and copied to the buffer 'tmp'. Since 'tmp' is placed
on the stack, an overly long folder name can be used to overwrite stack data,
including but not limited to the saved EIP.

Exploit

A proof-of-concept exploit for this vulnerability has been developed but will
not be publicly released until 2008-11-10, by which time it can be found at

http://www.bitsec.com/en/rad/bsa-081103.c

Fix

Upgrade to the latest version from your IMAP vendor:

- UW IMAP: 2007d
http://www.washington.edu/imap/

- Panda IMAP: tmail ver 2008.24, dmail ver 2008.19
http://www.panda.com/imap/

- Alpine: No fix, tmail/dmail users should get UW IMAP 2007d
http://www.washington.edu/alpine/

Disclosure Timeline

2008-10-24 Notified developers (Mark Crispin, Steve Hubert)
2008-10-27 Received response from developers
2008-10-27 Panda IMAP patched
2008-10-30 UW IMAP patched
2008-11-03 Public release

========================================================================
=======
Bitsec Security Advisory: UW/Panda IMAP [dt]mail buffer overflow 2008-11-03
========================================================================
=======
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJDuPnzx20c5GX95oRApDFAKCLzTOOPmHsoGCcgxkbZvtCSFQujgCgugO/
yjilZ4XHBYXTPEXbVVnS7Rk=
=OsgS
-----END PGP SIGNATURE-----

References:

https://bugzilla.redhat.com/show_bug.cgi?id=469667
http://mailman2.u.washington.edu/pipermail/imap-uw/2008-October/002267.html
http://www.securityfocus.com/archive/1/archive/1/498002/100/0/threaded
http://www.openwall.com/lists/oss-security/2008/11/03/5
http://www.openwall.com/lists/oss-security/2008/11/03/4
http://www.openwall.com/lists/oss-security/2008/11/03/3
http://www.bitsec.com/en/rad/bsa-081103.txt
http://securitytracker.com/id?1021131
http://secunia.com/advisories/32483
http://panda.com/imap/
http://marc.info/?l=full-disclosure&amp;m=122572590212610&amp;w=4
http://mailman2.u.washington.edu/pipermail/imap-uw/2008-October/002268.html

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version