OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: imapd4r1 v12.264
From: Sven Carstens (s.carstensGMX.DE)
Date: Mon Apr 17 2000 - 08:04:41 CDT


Am So, 16 Apr 2000 schrieb Michal Zalewski <lcamtufDIONE.IDS.PL>:
> Newest RH:
>
> * OK nimue IMAP4rev1 v12.264 server ready

This is the imap-4.7 package from the University of Washington.

> 1 login lcamtuf test
> 1 OK LOGIN completed
> 1 list "" AAAAAAAAAAAAAAAAAAAAAAAAAAA...[yes, a lot of 'A's ;]
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
>

To segfault the number of A´s has to in the range 1023 < #A > 8180.
If the command line including CR/LF is longer than 8192 an error message is
displayed.

The segfaults are in the nntp, mh, news and dummy driver.
In all modules the subroutine <name>_canonicalize will happily strcpy and
strcat the user supplied arguments to fixed size buffers with normally
MAILTMPLEN = 1024 bytes.

Quick work around:
- remove these modules (if you don´t require them) from the linkage list

To do this change imapd.c around line 247
remove this line:

#include "linkage.c"

and manually add the drivers and authenticators you need:
  mail_link (&mboxdriver); /* link in the mbox driver */
  mail_link (&imapdriver); /* link in the imap driver */
/* mail_link (&nntpdriver); /* link in the nntp driver */
  mail_link (&pop3driver); /* link in the pop3 driver */
/* mail_link (&mhdriver); /* link in the mh driver */
  mail_link (&mxdriver); /* link in the mx driver */
  mail_link (&mbxdriver); /* link in the mbx driver */
  mail_link (&tenexdriver); /* link in the tenex driver */
  mail_link (&mtxdriver); /* link in the mtx driver */
  mail_link (&mmdfdriver); /* link in the mmdf driver */
  mail_link (&unixdriver); /* link in the unix driver */
/* mail_link (&newsdriver); /* link in the news driver */
  mail_link (&philedriver); /* link in the phile driver */
/* mail_link (&dummydriver); /* link in the dummy driver */
  auth_link (&auth_md5); /* link in the md5 authenticator */
  auth_link (&auth_log); /* link in the log authenticator */

This list is taken from my default install. If might have extra
authenticators in your configuration. See the file
imap-4.7/c-client/linkage.c
for the drivers of your choice.

It might also be wise to remove all unneede drivers from the list to gain
speed/security.

There are shure as hell a lot more careless strcpy´s inside this code.

BTW: Looking for another library for mail folder access!

> *sigh*
>
> Privledges seems to be dropped, but, anyway, it's nice way to get shell
> access to mail account, maybe grab some data from memory etc. I believe
> both imap and ipopd packages need code security audit.
>

The security audit is really needed for all of the drivers in the c-client.
(Anyone cares for a Y2K bug in this ?)

CU Sven