Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Re: imapd4r1 v12.264
From: Sven Carstens (s.carstensGMX.DE)
Date: Mon Apr 17 2000 - 08:04:41 CDT

Am So, 16 Apr 2000 schrieb Michal Zalewski <lcamtufDIONE.IDS.PL>:
> Newest RH:
> * OK nimue IMAP4rev1 v12.264 server ready

This is the imap-4.7 package from the University of Washington.

> 1 login lcamtuf test
> 1 OK LOGIN completed
> 1 list "" AAAAAAAAAAAAAAAAAAAAAAAAAAA...[yes, a lot of 'A's ;]
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()

To segfault the number of A´s has to in the range 1023 < #A > 8180.
If the command line including CR/LF is longer than 8192 an error message is

The segfaults are in the nntp, mh, news and dummy driver.
In all modules the subroutine <name>_canonicalize will happily strcpy and
strcat the user supplied arguments to fixed size buffers with normally
MAILTMPLEN = 1024 bytes.

Quick work around:
- remove these modules (if you don´t require them) from the linkage list

To do this change imapd.c around line 247
remove this line:

#include "linkage.c"

and manually add the drivers and authenticators you need:
  mail_link (&mboxdriver); /* link in the mbox driver */
  mail_link (&imapdriver); /* link in the imap driver */
/* mail_link (&nntpdriver); /* link in the nntp driver */
  mail_link (&pop3driver); /* link in the pop3 driver */
/* mail_link (&mhdriver); /* link in the mh driver */
  mail_link (&mxdriver); /* link in the mx driver */
  mail_link (&mbxdriver); /* link in the mbx driver */
  mail_link (&tenexdriver); /* link in the tenex driver */
  mail_link (&mtxdriver); /* link in the mtx driver */
  mail_link (&mmdfdriver); /* link in the mmdf driver */
  mail_link (&unixdriver); /* link in the unix driver */
/* mail_link (&newsdriver); /* link in the news driver */
  mail_link (&philedriver); /* link in the phile driver */
/* mail_link (&dummydriver); /* link in the dummy driver */
  auth_link (&auth_md5); /* link in the md5 authenticator */
  auth_link (&auth_log); /* link in the log authenticator */

This list is taken from my default install. If might have extra
authenticators in your configuration. See the file
for the drivers of your choice.

It might also be wise to remove all unneede drivers from the list to gain

There are shure as hell a lot more careless strcpy´s inside this code.

BTW: Looking for another library for mail folder access!

> *sigh*
> Privledges seems to be dropped, but, anyway, it's nice way to get shell
> access to mail account, maybe grab some data from memory etc. I believe
> both imap and ipopd packages need code security audit.

The security audit is really needed for all of the drivers in the c-client.
(Anyone cares for a Y2K bug in this ?)

CU Sven