SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   IMAP Toolkit (uw-imap) Vendors:   University of Washington
UW-IMAP tmail/dmail Folder Name Buffer Overflow Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1021131
SecurityTracker URL:  http://securitytracker.com/id/1021131
CVE Reference:   CVE-2008-5005   (Links to External Site)
Updated:  Nov 13 2008
Original Entry Date:  Nov 3 2008
Impact:   Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2002 - 2007c
Description:   A vulnerability was reported in UW-IMAP. A local user can gain elevated privileges. A remote authenticated user may be able to execute arbitrary code on the target system.

A local user can set a specially crafted folder name extension via the command line to trigger a buffer overflow in the tmail and dmail mail delivery agents to execute arbitrary code. The code will execute with the privileges of the user or with root privileges, depending on the configuration.

In some configurations, it may be possible for a remote authenticated user to exploit this flaw.

The vendor was notified on October 24, 1008.

Aron Andersson and Jan Sahlin of Bitsec reported this vulnerability.

The original advisory is available at:

http://www.bitsec.com/en/rad/bsa-081103.txt

Impact:   A local user can gain elevated privileges.

A remote authenticated user may be able to execute arbitrary code on the target system.

Solution:   The vendor has issued a fix (imap-2007d).

The vendor's advisory is available at:

http://www.washington.edu/imap/documentation/RELNOTES.html

Vendor URL:  www.washington.edu/imap/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 19 2009 (Red Hat Issues Fix) UW-IMAP tmail/dmail Folder Name Buffer Overflow Lets Local Users Gain Elevated Privileges
Red Hat has released a fix for Red Hat Enterprise Linux 3.



 Source Message Contents

Subject:  [Full-disclosure] Bitsec Security Advisory: UW/Panda IMAP [dt]mail

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
Bitsec Security Advisory:  UW/Panda IMAP [dt]mail buffer overflow    2008-11-03
===============================================================================

Applications   tmail/dmail in UW IMAP [2002-2007c], Panda IMAP, Alpine <= 2.00 

Discovered by  Aron Andersson <aron.andersson@bitsec.com>,
               Jan Sahlin <jan.sahlin@bitsec.com>
Researched by  Aron Andersson <aron.andersson@bitsec.com>

Reference      http://www.bitsec.com/en/rad/bsa-081103.txt
GPG Key        http://www.bitsec.com/labs.asc

Overview

  tmail and dmail are mail delivery agents that deliver mail to a user's INBOX
  or a designated folder, specified by the folder extension in the user+folder
  argument on the command line. If tmail is used for mail delivery from a
  process whose UID is not the destination user, it must be installed setuid
  root; dmail can be used when the process is run as the destination user.

Problem

  A vulnerability exists in both applications due to missing boundary checks on
  the folder extension argument from the command line. The bug can be exploited
  by overflowing a stack buffer via an overly long folder name.

  For tmail, this could allow for arbitrary code execution as the root user. As
  mentioned the vulnerability also exists for dmail, but the impact is a bit
  less critical since it usually runs as the recipient user and not root.

  Depending on the mailer daemon and configuration in use, this bug may also
  be remotely exploitable.

  The bug is caused by the following pieces of code:
  [tmail.c]
    char *getusername (char *s,char **t)
    {
      char tmp[MAILTMPLEN];
      if (*t = strchr (s,'+')) {    /* have a mailbox specifier? */
        *(*t)++ = '\0';             /* yes, tie off user name */
                                    /* user+ and user+INBOX same as user */
        if (!**t || !strcmp ("INBOX",ucase (strcpy (tmp,*t)))) *t = NIL;
      }
      return s;                     /* return user name */
    }

  [dmail.c]
    int deliver (FILE *f,unsigned long msglen,char *user)
    {
      MAILSTREAM *ds = NIL;
      char *s,*mailbox,tmp[MAILTMPLEN],path[MAILTMPLEN];
      STRING st;
      struct stat sbuf;
                                    /* have a mailbox specifier? */
      if (mailbox = strchr (user,'+')) {
        *mailbox++ = '\0';          /* yes, tie off user name */
        if (!*mailbox || !strcmp ("INBOX",ucase (strcpy (tmp,mailbox))))
          mailbox = NIL;            /* user+ and user+INBOX same as user */
      }
    (..)

  The user+folder command line argument reaches deliver() and getusername()
  through the char pointers 's' and 'user', respectively. The folder part is
  separated from the user and copied to the buffer 'tmp'. Since 'tmp' is placed
  on the stack, an overly long folder name can be used to overwrite stack data,
  including but not limited to the saved EIP.

Exploit
  
  A proof-of-concept exploit for this vulnerability has been developed but will
  not be publicly released until 2008-11-10, by which time it can be found at

    http://www.bitsec.com/en/rad/bsa-081103.c

Fix
  
  Upgrade to the latest version from your IMAP vendor:

  - UW IMAP: 2007d
    http://www.washington.edu/imap/

  - Panda IMAP: tmail ver 2008.24, dmail ver 2008.19  
    http://www.panda.com/imap/

  - Alpine: No fix, tmail/dmail users should get UW IMAP 2007d
    http://www.washington.edu/alpine/

Disclosure Timeline

  2008-10-24 Notified developers (Mark Crispin, Steve Hubert)
  2008-10-27 Received response from developers
  2008-10-27 Panda IMAP patched
  2008-10-30 UW IMAP patched
  2008-11-03 Public release

===============================================================================
Bitsec Security Advisory:  UW/Panda IMAP [dt]mail buffer overflow    2008-11-03
===============================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJDuPnzx20c5GX95oRApDFAKCLzTOOPmHsoGCcgxkbZvtCSFQujgCgugO/
yjilZ4XHBYXTPEXbVVnS7Rk=
=OsgS
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC