OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: mailbox format incopatibility in (WU)imap with mail.local
From: 3APA3A (3APA3ASECURITY.NNOV.RU)
Date: Tue Aug 15 2000 - 13:16:39 CDT

Hello,

  It's not big, but interesting security hole. In fact neither
  mail.local nor imap has any bugs, but the problem rises from the
  fact there is no clear format for Unix mailbox. Since I think
  mail.local has more suitable mailbox format I decided to report
  problem as imap problem. May be I'm wrong.

  Thanks to w00w00 and USSR Labs. And sorry for my bad English.

-=-=-=-=-=-=-=-=-=-=-

  Title : mailbox format incompatibility in (WU)imap with
                    mail.local
  Authors : 3APA3Asecurity.nnov.ru, agksandy.ru
  Impact : malicious user can put message with faked headers
                    in user's mailbox bypassing virus protection,
                    buffer overflow protection and another MTA/MDA
                    filters. Also imap itself or MUA can be DoS'ed by
                    the way shown below.
  Software : imapd-4.7c and prior versions then combined with
                    mail.local and probably some another MDAs
  OS : *BSD, may be others
  Vendor Status : Mark Crispin and Sendmail notified, no satisfying
                    solution yet provided.

  Details:

  Then delivering message to user's mailbox mail.local believes, that
  messages are delimited by empty line followed by "From " header. If
  this combination found in message text it will be commented out. Yet
  imap, while parsing user's mailbox relies only on "From " header in
  special format and doesn't check empty line. This makes it possible
  to put faked message with faked RFC-822 header (including all
  Received: fields) in user's mailbox using properly formatted "From "
  header after non-empty line. This can be used both for sending
  spoofed messages and DoS'ing user's mailbox by emulating a huge
  number of messages.

  Exploitation:

  Shell string below send a single approx. 2.5 Mb message. After
  delivering imap will think there is more then 70,000 messages in
  user's mailbox.

perl -e 'print "1\nFrom user Wed Dec 2 05:53:22 1992\n\n"x70000' |\
mail -s "Oooops I did it again" victim

  Then this 70,000 messages are received with MUA, MUA usually fails
  (mostly because of memory problems). Was tested with The Bat! and
  Netscape. After that on FreeBSD 3.2 PIII 128Mb box I noticed next
  behavior: ipop3 (imapd was not tested) freezes in sbwait state,
  locking 99% CPU and amount of memory (much more then message size
  itself). After 30 minutes situation has not changed.

  Patch:

  One is for imapd-4.7c. It was not excessively tested and may be not
  complete, but believed to close this very hole.

*** unix.c.old Wed Feb 23 03:43:30 2000
--- unix.c Thu Aug 10 12:58:19 2000
***************
*** 1048,1053 ****
--- 1048,1054 ----
    unsigned long i,j,k,m;
    char c,*s,*t,*u,tmp[MAILTMPLEN],date[30];
    int ti = 0,pseudoseen = NIL,retain = T;
+ int wasempty;
    unsigned long nmsgs = stream->nmsgs;
    unsigned long prevuid = nmsgs ? mail_elt (stream,nmsgs)->private.uid : 0;
    unsigned long recent = stream->recent;
***************
*** 1389,1404 ****
        k = m = 0; /* no previous line size yet */
                                /* note current position */
        j = LOCAL->filesize + GETPOS (&bs);
        if (i) do { /* look for next message */
          s = unix_mbxline (stream,&bs,&i);
          if (i) { /* got new data? */
! VALID (s,t,ti,zn); /* yes, parse line */
            if (!ti) { /* not a header line, add it to message */
              elt->rfc822_size +=
                k = i + (m = (((i < 2) || s[i - 2] != '\r') ? 1 : 0));
                                /* update current position */
              j = LOCAL->filesize + GETPOS (&bs);
            }
          }
        } while (i && !ti); /* until found a header */
        elt->private.msg.text.text.size = j -
--- 1390,1408 ----
        k = m = 0; /* no previous line size yet */
                                /* note current position */
        j = LOCAL->filesize + GETPOS (&bs);
+ wasempty = 1;
        if (i) do { /* look for next message */
          s = unix_mbxline (stream,&bs,&i);
          if (i) { /* got new data? */
! if (wasempty) VALID (s,t,ti,zn); /* yes, parse line */
            if (!ti) { /* not a header line, add it to message */
              elt->rfc822_size +=
                k = i + (m = (((i < 2) || s[i - 2] != '\r') ? 1 : 0));
                                /* update current position */
              j = LOCAL->filesize + GETPOS (&bs);
            }
+ if ( *s == '\n') wasempty = 1;
+ else wasempty = 0;
          }
        } while (i && !ti); /* until found a header */
        elt->private.msg.text.text.size = j -

http://www.security.nnov.ru
         /\_/\
        { . . } |\
+--oQQo->{ ^ }<-----+ \
| 3APA3A U 3APA3A }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)