UW-IMAP Netmailbox Name Parsing Buffer Overflow Vulnerability

Credit: iDEFENSE Labs
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other

CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

UW-IMAP Netmailbox Name Parsing Buffer Overflow Vulnerability iDEFENSE Security Advisory 10.04.05 www.idefense.com/application/poi/display?id=313&type=vulnerabilities October 4, 2005 I. BACKGROUND UW-IMAP is a popular free IMAP service for Linux and UNIX systems and is distributed with various Linux distributions. More information can be found at the vendor website: http://www.washington.edu/imap/ II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in the University of Washington's IMAP Server (UW-IMAP) allows attackers to execute arbitrary code. The vulnerability specifically exists due to insufficient bounds checking on user-supplied values. The mail_valid_net_parse_work() function in src/c-client/mail.c is responsible for obtaining and validating the specified mailbox name from user-supplied data. An error in the parsing of supplied mailbox names will continue to copy memory after a " character has been parsed until another " character is found as shown here: long mail_valid_net_parse_work (char *name,NETMBX *mb,char *service) { int i,j; #define MAILTMPLEN 1024 /* size of a temporary buffer */ char c,*s,*t,*v,tmp[MAILTMPLEN],arg[MAILTMPLEN]; ...snip... if (t - v) { /* any switches or port specification? */ 1] strncpy (t = tmp,v,j); /* copy it */ tmp[j] = '

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023, cxsecurity.com


Back to Top