OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: 3APA3A (3APA3ASECURITY.NNOV.RU)
Date: Sat Jun 01 2002 - 07:14:15 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Original version
    http://www.security.nnov.ru/advisories/courier.asp

    Title: Courier CPU exhaustion
    Author: ZARAZA <3APA3Asecurity.nnov.ru>
    Date: May, 31 2002
    Affected: courier-0.38.1
    Vendor: Double Precision, Inc.
    Risk: Low to average
    Remote: Yes
    Exploitable: Yes
    Vendor notified: May, 20 2002
    Product URL: http://www.courier-mta.org
    SECURITY.NNOV URL: http://www.security.nnov.ru
    Advanced info: http://www.security.nnov.ru/search/news.asp?binid=2055

    Introduction:

    Courier is widely used suite of e-mail services written with security in
    mind.

    Problem:

    A loop with unchecked iteration counter controlled by user input may
    cause courier to freeze for over the minute with 100% CPU usage on
    single command or message.

    Details:

    rfc822_parsedt.c:

            unsigned day=0, mon=0, year;
            ...
            unsigned y;
            ...
            if (year < 1970) return (0);
            ...
            for (y=1970; y<year; y++) ...

    year may be any unsigned integer.

    Vendor:

     Sam Varshavchik <mrsamcourier-mta.com> was contacted on May, 20.
     Problem was patched in CVS version on the same day.
      
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    Bonus on imap-uw:

    Imap-uw allows user to access any file he could access locally. It's not
    a bug it's insecurity by design (it was not created with security in
    mind ;-). According FAQ from vendor's web site (it's not mentioned in a
    FAQ inside program distribution):

    -=-=-=-=-=-=-

    5.1 I see that the IMAP server allows access to arbitary files on the
    system, including /etc/passwd! How do I disable this?

     You should not worry about this if your IMAP users are allowed shell
     access. The IMAP server does not permit any access that the user can
     not have via the shell. If, and only if, you deny your IMAP users shell
     access, you may want to consider one of three choices. Note that these
     choices reduce IMAP functionality, and may have undesirable side
     effects. Each of these choices involves an edit to file
     src/osdep/unix/env_unix.c

     The first (and recommended) choice is to set restrictBox as described
     in file CONFIG. This will disable access to the filesystem root, to
     other users' home directory, and to superior directory.

     The second (and strongly NOT recommended) choice is to set closedBox as
     described in file CONFIG. This puts each IMAP session into a so-called
     "chroot jail", and thus setting this option is extremely dangerous; it
     can make your system much less secure and open to root compromise
     attacks. So do not use this option unless you are absolutely certain
     that you understand all the issues of a "chroot jail."

     The third choice is to rewrite routine mailboxfile() to implement
     whatever mapping from mailbox name to filesystem name (and
     restrictions) that you wish. This is the most general choice. As a
     guide, you can see at the start of routine mailboxfile() what the
     restrictBox choice does.

    -=-=-=-=-=-

     It should be noted that restrictBox/closedBox is not described in
     neither CONFIG nor any other document from program distribution at all
     (as for imap-2001a)... And even if you smart enough to check the FAQ on
     the web site after you red the FAQ in source distribution restrictBox
     can be bypassed in case of any Windows builds (for example
     http://sourceforge.net/projects/uw-imap-cygwin/) because '\\' symbol is
     never checked. Hope nobody uses UW under NT or a version from OS ports
     distribution in production environment because as far as I can see port
     maintainers do not change the value of closedBox :).

     I'm not sure if there are utilities to access file system via imap-uw,
     a created a small set of tools you can download imaptools.tgz from
     http://www.security.nnov.ru/search/news.asp?binid=2063

     it includes:

      imapget.c - to retrieve file via imap-uw, usage example:
        imapget imap.host.name /etc/passwd > passwd
        it should work for both text and binary files.

      imapls.c - to get a file listing, usage example:
        imapls imaphostname /tmp/\* > ls-tmp

      imaprm.c, imapmkdir.c - hope you catch the idea.

      it's also possible to create file with any name in mailbox format.

     

    -- 
    http://www.security.nnov.ru
             /\_/\
            { , . }     |\
    +--oQQo->{ ^ }<-----+ \
    |  ZARAZA  U  3APA3A   }
    +-------------o66o--+ /
                        |/
    You know my name - look up my number (The Beatles)