Dovecot POP3/IMAP Cache File Buffer Overflow May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1017288
|
|
SecurityTracker URL: http://securitytracker.com/id?1017288
|
|
CVE Reference: CVE-2006-5973
(Links to External Site)
|
Updated: Nov 28 2006
|
Original Entry Date: Nov 27 2006
|
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.0test53 through 1.0.rc14
|
Description: A vulnerability was reported in Dovecot. A remote authenticated user may be able to execute arbitrary code on the target system.
When the 'mmap_disable=yes' configuration setting is enabled, a remote authenticated user can send specially crafted data to trigger
a buffer overflow and cause the target service to crash. It may also be possible to execute arbitrary code on the target system,
however, code execution was not confirmed in the report.
|
Impact: A remote authenticated user can cause the target service to crash.
A remote authenticated user may be able to execute arbitrary code on the target system.
|
Solution: The vendor has issued a fixed version (1.0.rc15).
A patch is also available at:
http://dovecot.org/patches/1.0/file-cache-buffer-overflow-fix.diff
The
Dovecot advisory is available at:
http://dovecot.org/list/dovecot-news/2006-November/000023.html
|
Vendor URL: dovecot.org/list/dovecot-news/2006-November/000023.html (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Timo Sirainen <tss@iki.fi>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun Nov 19 00:17:36 UTC 2006
From: Timo Sirainen <tss@iki.fi>
Subject: [Dovecot-news] Security hole #2: Off-by-one buffer overflow with mmap_disable=yes
|
Version: 1.0test53 .. 1.0.rc14 (ie. all 1.0alpha, 1.0beta and 1.0rc
versions so far).
0.99.x versions are safe (they don't even have mmap_disable setting).
Problem: When mmap_disable=yes setting is used, dovecot.index.cache file
is read to memory using "file cache" code. It contains a "mapped pages"
bitmask buffer. In some conditions when updating the buffer it allocates
one byte too little.
Exploitability: I think it's going to be pretty difficult to cause
anything else than a crash, but I wouldn't say impossible. Only logged
in IMAP/POP3 users can exploit this.
In theory you might be able to exploit this for other users as well by
sending them a lot of specially crafted emails, but this requires
knowing what dovecot.index.cache file contains. Normally its contents
can't be predicted, although perhaps with POP3 users it gets empty often
enough that the exploit could be tried. Then again, the exploit requires
having at least 4MB cache file, which won't happen with POP3 users
before the mailbox has about 170k mails (if I counted right).
With IMAP the cache file is used more, so it's easier to fill the 4MB
with for example a lot of To-headers.
Workaround: Use INDEX=MEMORY so the cache files aren't used at all.
Fix: 1.0.rc15 fixes this. You can also use this patch:
http://dovecot.org/patches/1.0/file-cache-buffer-overflow-fix.diff
|
|
