SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Fetchmail Vendors:   Raymond, Eric S.
(EnGarde Secure Linux Issues Fix) Re: Fetchmail Executes Arbitrary Code Supplied By Remote Servers
SecurityTracker Alert ID:  1002211
SecurityTracker URL:  http://securitytracker.com/id/1002211
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 17 2001
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 5.8.17
Description:   A memory modification vulnerability was reported in Fetchmail, allowing remote users to execute arbitrary code on the fetchmail server in certain situations.

It is reported that flaws in the pop3.c and imap.c files allow a remote user to 'poke' arbitrary memory addresses with 32 bit data. A remote user that is impersonating a POP3 or IMAP server that fetchmail queries can trigger this vulnerability. If the remote user can spoof the fetchmail server's DNS, then the remote user can potentially trigger the vulnerability without impersonating the POP3 or IMAP mail server.

Some demonstration exploit code is included in the Source Message.

Impact:   A remote user can cause fetchmail to execute arbitrary code with the privileges of the user account running fetchmail.
Solution:   EnGarde Secure Linux has issued a fix for their distribution. See the Source Message for details.
Vendor URL:  www.tuxedo.org/~esr/fetchmail/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (EnGarde)

Message History:   This archive entry is a follow-up to the message listed below.
Aug 11 2001 Fetchmail Executes Arbitrary Code Supplied By Remote Servers



 Source Message Contents

Subject:  [ESA-20010816-01] fetchmail-ssl memory overwrite vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                 August 16, 2001 |
| http://www.engardelinux.org/                           ESA-20010816-01 |
|                                                                        |
| Package:  fetchmail-ssl                                                |
| Summary:  fetchmail-ssl contains a memory overwrite vulnerability.     |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.


OVERVIEW
- --------
  There is a remotely exploitable memory overwrite vulnerability in the
  fetchmail-ssl package.  An exploit is known to exist.


DETAIL
- ------
  While doing a routine security audit of the fetchmail package (named
  "fetchmail-ssl" in EnGarde), Salvatore Sanfilippo found two remotely
  exploitable bugs in both the imap and pop3 code.  Lack of bounds
  checking may allow an attacker to write arbitrary data into memory.

  The attacker must have control of the mail server the client (using
  fetchmail) is attempting to contact in order to exploit this
  vulnerability.


SOLUTION
- --------
  All users should upgrade to the most recent version, as outlined in
  this advisory.

  Guardian Digital recently made available the Guardian Digital Secure
  Update, a means to proactively keep systems secure and manage 
  system software. EnGarde users can automatically update their system
  using the Guardian Digital WebTool secure interface.

  If choosing to manually upgrade this package, updates can be
  obtained from:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
    http://ftp.engardelinux.org/pub/engarde/stable/updates/

  Before upgrading the package, the machine must either:

    a) be booted into a "standard" kernel; or
    b) have LIDS disabled.

  To disable LIDS, execute the command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

    # rpm -Uvh <filename>

  To re-enable LIDS (if it was disabled), execute the command:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signature of the updated packages, execute the command:

    # rpm -Kv <filename>


UPDATED PACKAGES
- ----------------
  These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).

  Source Packages:

    SRPMS/fetchmail-ssl-5.8.17-1.0.3.src.rpm
      MD5 Sum:  31f14d5c99dbfd6c61178e2e831362db

  Binary Packages:

    i386/fetchmail-ssl-5.8.17-1.0.3.i386.rpm
      MD5 Sum:  244840700bfbb09078ff246791ae49a3

    i686/fetchmail-ssl-5.8.17-1.0.3.i686.rpm
      MD5 Sum:  03e5c25d5ba62f4370c1e234f1b3b5dd


REFERENCES
- ----------

  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  Credit for the discovery of this bug goes to:
    Salvatore Sanfilippo <antirez@invece.org>

  fetchmail's Official Web Site:
    http://www.tuxedo.org/~esr/fetchmail/

  Security Contact:    security@guardiandigital.com
  EnGarde Advisories:  http://www.engardelinux.org/advisories.html

- --------------------------------------------------------------------------
$Id: ESA-20010816-01-fetchmail-ssl,v 1.1 2001/08/16 13:12:17 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com> 
Copyright 2001, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7e8wyHD5cqd57fu0RAqVmAJ92qE77h61fV4u7+3D6YdTCUn3J1wCfccHM
KqsFrab9TpqjGEHYi7HwCFs=
=/VtX
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
     To unsubscribe email engarde-security-request@engardelinux.org
         with "unsubscribe" in the subject of the message.

Copyright(c) 2001 Guardian Digital, Inc.                EnGardeLinux.org
------------------------------------------------------------------------




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC