OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: UW c-client library vulnerability
From: Juhapekka Tolvanen (juhtolvST.JYU.FI)
Date: Fri Sep 01 2000 - 11:53:22 CDT

It seems, that c-client libraries by University of Washington have
some bug(s), that makes some programs that depend upon those libraries
go crazy. AFAIK affected programs include at least Pine (read "pain"),
ipop3d and IMAPD. And those programs and libraries are commonly used in
Unixes. I don't know, if any patch, fix, work-around etc. exist.

 * * *

Problem was caused by my X-Keywords-header, that serves as so called spook line
(Hello, NSA! :-) ):

X-Keywords: kettutytöt, Sanna Sillanpää, IKL, Jammu Siltavuori, ryssä, somali,
lesbo, homo, lesbian, anarchism, nazi, communism, CIA, bomb, nuclear, Semtex,
satan, traitor, pedophile

I shortened it to this:

 X-Keywords: lesbo, homo, lesbian, anarchism, nazi, communism, CIA, bomb,
nuclear, Semtex, satan, traitor, pedophile

And then problems disappeared. I use a character set called ISO-LATIN-1. And my
original X-Keywords: -header had some scandinavic characters ("umlaut o"
aka "o with dots" and "umlaut a" aka "a with dots" ) in words
"kettutytöt" and "ryssä".

Here are some problem reports from mailing-lists of Debian:

 Date: Wed, 30 Aug 2000 23:52:12 +0200
 From: Cristian Ionescu-Idbohrn <ciiaxis.com>
 To: bugsbugs.debian.org
 CC: juhtolvst.jyu.fi, debian-devellists.debian.org,
        debian-legallists.debian.org
 Subject: imap mailbox killer

(Clip)

I don't know if it was your intension, but you managed to totally screw
up my inbox (no hard feelings)!

The IMAP daemon went crazy trying to make sense of that box and put it's
holy counts on the

  "Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA".

Is this a security hole?^X

 Date: Wed, 30 Aug 2000 15:31:12 -0700 (MST)
 To: Cristian Ionescu-Idbohrn <ciiaxis.com>
 cc: juhtolvst.jyu.fi

(Clip)

I've been fighting this problem all day too. Pine blows up when you try
to save the INBOX back out with any changes. (I'm using fetchmail and
plain vanilla mail spool files.) It was driving me nuts. Thanks for
posting. (I saved a copy of my mailbox and will pick through it with a
fine-tooth comb later.)

(Clip)

 Date: Thu, 31 Aug 2000 10:22:48 +0200 (CEST)
 From: Cristian Ionescu-Idbohrn <ciiaxis.com>
 To: Juhapekka Tolvanen <juhtolvst.jyu.fi>
 cc: debian-devellists.debian.org

(Clip)

Looks like all boxes get an extra message inserted. It looks something
like this:

,-----
| From MAILER-DAEMON Wed Aug 30 09:54:25 2000
| Delivery-Date: Thu May 11 21:51:47 2000
| Date: Thu, 11 May 2000 21:51:47 +0200 (MET DST)
| From: Mail System Internal Data <MAILER-DAEMONhost.com>
| Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
| X-IMAP: 0928135936 0000033614
| Status: RO
| X-Status:
| X-Keywords:
| X-UID: 2
|
| This text is part of the internal format of your mail folder, and is not
| a real message. It is created automatically by the mail system software.
| If deleted, important folder data will be lost, and it will be re-created
| with the data reset to initial values.
`-----

I don't know if it's the IMAP daemon or the pine client who is responsible
for this.

One (or several) of Juhapekka message header entries, probably this:

,-----
| X-Keywords:
+=?iso-8859-1?Q?kettutyt=F6t=2C_Sanna_Sillanp=E4=E4=2C_IKL=2C_Jammu_Silta?=
| =?iso-8859-1?Q?vuori=2C_ryss=E4=2C_somali=2C_lesbo=2C_homo=2C_lesbian=2C?=
| =?iso-8859-1?Q?_anarchism=2C_nazi=2C_communism=2C_CIA=2C_bomb=2C_nuclear?=
| =?iso-8859-1?Q?=2C_Semtex=2C_satan=2C_traitor=2C_pedophile?=
`-----

caused the daemon (or the client) screw up the "magic". I ended up with a
"magic" message looking like this:

,-----
| From MAILER-DAEMON Wed Aug 30 16:36:48 2000
| Date: 30 Aug 2000 16:36:48 +0200
| From: Mail System Internal Data <MAILER-DAEMONhost.com>
| Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
| Message-ID: <967646208host.com>
| X-IMAP: 0967646162 0000000339
+=?iso-8859-1?Q?kettutyt=F6t=2C_Sanna_Sillanp=E4=E4=2C_IKL=2C_Jammu_Silta?=
| Status: RO
|
| This text is part of the internal format of your mail folder, and is not
| a real message. It is created automatically by the mail system software.
| If deleted, important folder data will be lost, and it will be re-created
| with the data reset to initial values.
`-----

and a lot of NULL characters preceeding a few (5-6) of the messages in some
boxes.

Hope this helps to find the problem.
There's definitely a BUG lurking somewhere.

(Clip)

 Date: Thu, 31 Aug 2000 12:34:14 -0400 (EDT)
 From: "Jaldhar H. Vyas" <jaldhardebian.org>
 Reply-To: "Jaldhar H. Vyas" <jaldhardebian.org>
 To: Richard A Nelson <cowboydebian.org>
 cc: Juhapekka Tolvanen <juhtolvst.jyu.fi>,
        Cristian Ionescu-Idbohrn <ciiaxis.com>, debian-devellists.debian.org,
        70647bugs.debian.org

(Clip)

> > There might be bug in either Pine or IMAP(D) or both.
>
> Both... I had to manually delete several messages in Pine 4.21 folders
> and I don't use IMAP
>

Pine also uses libc-client which is where the bug is.

(Clip)

 Date: Thu, 31 Aug 2000 12:31:03 -0400 (EDT)
 From: "Jaldhar H. Vyas" <jaldhardebian.org>
 To: Buddha Buck <bmbuck14850.com>
 cc: Richard A Nelson <cowboydebian.org>
        Juhapekka Tolvanen <juhtolvst.jyu.fi>,
        Cristian Ionescu-Idbohrn <ciiaxis.com>, 70647bugs.debian.org,
        debian-devellists.debian.org

(Clip)

> My school uses imap, but I didn't -directly- invoke it in this process. It
> may have been invoked by their mailer behind the scenes, though.
>

Not necessarily. However ipop3d and imapd both use the c-client library
for all the mail handling routines. That's where the bug is so both would
have been affected.

(Clip) 

--
Juhapekka "naula" Tolvanen * * * U of Jyväskylä * * juhtolvst.jyu.fi
http://www.cc.jyu.fi/~juhtolv/index.html * "STRAIGHT BUT NOT NARROW!"
---------------------------------------------------------------------
"so impressed with all you do. tried so hard to be like you. flew too
high and burnt the wing. lost my faith in everything" nine inch nails