SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   IMAP Toolkit (uw-imap) Vendors:   University of Washington
University of Washington IMAP Toolkit ('uw-imap') Has Buffer Overflow That May Let Remote Users Execute Arbitrary Code with User-Level Privileges on the System
SecurityTracker Alert ID:  1004274
SecurityTracker URL:  http://securitytracker.com/id/1004274
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  May 10 2002
Original Entry Date:  May 10 2002
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 2000.283, 2000.284, and 2000.287 default install; 2001.315 compiled with RFC 1730 support
Description:   A buffer overflow vulnerability was reported in the University of Washington's IMAP mail server software. An authenticated remote user may be able to execute arbitrary code on the IMAP server.

It is reported that an authenticated remote user can send a malformed request to the IMAP server to trigger a buffer overflow. Arbitrary code can be executed with the privileges of the e-mail user account.

According to the report, the vulnerability is in the imapd.c code and is due to the lack of bounds checking on the user-supplied data. The bug may be exploited when the authenticated remote user requests partial mailbox attributes. This can cause user-supplied data to overwrite the server's main stack. The overflow may occur when the user logs out.

Some additional details, including a snapshot of the affected code, are available at the author's web site:

http://mantra.freeweb.hu

Impact:   An authenticated remote user can cause arbitrary code to be executed on the IMAP server with the user and group privileges of the remote user's e-mail account.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.washington.edu/imap/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Patch and Responds) Re: University of Washington IMAP Toolkit ('uw-imap') Has Buffer Overflow That May Let Remote Users Execute Arbitrary Code with User-Level Privileges on the System
The vendor has clarified the conditions under which certain versions are vulnerable and has issued a patch.
(Caldera Issues Fix for OpenLinux) University of Washington IMAP Toolkit ('uw-imap') Has Buffer Overflow That May Let Remote Users Execute Arbitrary Code with User-Level Privileges on the System
The vendor has released a fix.
(Red Hat Issues Fix) University of Washington IMAP Toolkit ('uw-imap') Has Buffer Overflow That May Let Remote Users Execute Arbitrary Code with User-Level Privileges on the System
Red Hat has released a fix.
(Conectiva Issues Fix) University of Washington IMAP Toolkit ('uw-imap') Has Buffer Overflow That May Let Remote Users Execute Arbitrary Code with User-Level Privileges on the System
Conectiva has released a fix.
(Mandrake Issues Fix) University of Washington IMAP Toolkit ('uw-imap') Has Buffer Overflow That May Let Remote Users Execute Arbitrary Code with User-Level Privileges on the System
Mandrake has released a fix.
(Engarde Issues Fix) University of Washington IMAP Toolkit ('uw-imap') Has Buffer Overflow That May Let Remote Users Execute Arbitrary Code with User-Level Privileges on the System
EnGarde has released a fix.



 Source Message Contents

Subject:  WU-imap server buffer overflow condition




Wu-imapd is an easy to set-up IMAP daemon created and 
distributed by Washington University. Malicious user is 
able to construct a malformed request which will overflow 
an internal buffer, and run code on the server with 
uid/gid of the e-mail owner. The vulnerability mainly 
affects free e-mail providers/mail servers where the user 
has no shell access to the system. 

The buffer overflow may happen when the user ask for 
fetching partial mailbox attributes.

more on my website: http://mantra.freeweb.hu

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC