OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Stan Bubrouski (stanccs.neu.edu)
Date: Sat Jun 01 2002 - 18:12:33 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    3APA3A wrote:
    > Original version
    > http://www.security.nnov.ru/advisories/courier.asp
    >
    > Title: Courier CPU exhaustion
    > Author: ZARAZA <3APA3Asecurity.nnov.ru>
    > Date: May, 31 2002
    > Affected: courier-0.38.1
    > Vendor: Double Precision, Inc.
    > Risk: Low to average
    > Remote: Yes
    > Exploitable: Yes
    > Vendor notified: May, 20 2002
    > Product URL: http://www.courier-mta.org
    > SECURITY.NNOV URL: http://www.security.nnov.ru
    > Advanced info: http://www.security.nnov.ru/search/news.asp?binid=2055
    >
    > Introduction:
    >
    > Courier is widely used suite of e-mail services written with security in
    > mind.
    >
    > Problem:
    >
    > A loop with unchecked iteration counter controlled by user input may
    > cause courier to freeze for over the minute with 100% CPU usage on
    > single command or message.
    >
    > Details:
    >
    > rfc822_parsedt.c:
    >
    > unsigned day=0, mon=0, year;
    > ...
    > unsigned y;
    > ...
    > if (year < 1970) return (0);
    > ...
    > for (y=1970; y<year; y++) ...
    >
    > year may be any unsigned integer.
    >
    >
    > Vendor:
    >
    > Sam Varshavchik <mrsamcourier-mta.com> was contacted on May, 20.
    > Problem was patched in CVS version on the same day.
    >
    > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    >
    > Bonus on imap-uw:
    >
    > Imap-uw allows user to access any file he could access locally. It's not
    > a bug it's insecurity by design (it was not created with security in
    > mind ;-). According FAQ from vendor's web site (it's not mentioned in a
    > FAQ inside program distribution):
    >
    > -=-=-=-=-=-=-
    >
    > 5.1 I see that the IMAP server allows access to arbitary files on the
    > system, including /etc/passwd! How do I disable this?

    This issue with uw-imapd has been known about for years and years and
    years. I brought this up about two years ago and I noticed others had
    as well. Changing one if statement in a source file fixes the behaviour
    and yes it is a FEATURE not a BUG. I don't recall the exact location or
    if statement to change but looking through uw-imapd archives is how I
    found it out a couple years ago, and I recommend you do the same.

    -Stan