Re: Security hole in imapd - pine 3.96 affected?

[aleph1 () DFW NET (Aleph One)]

+---
| From mrc () cac washington edu Tue Apr  8 09:26:34 1997
| Date: Tue, 4 Mar 1997 15:22:05 -0800
| From: Mark Crispin <mrc () cac washington edu>
| To: pine-info () cac washington edu
| Subject: Re: Pine 3.96
|
| On 4 Mar 1997, Jody Housman wrote:
| > After building 3.96, I checked log_std.c code, and it appears to be the
| > same as what SNI calls the flawed code.  Has the security hole been fixed
| > in some other way such as increasing the size of the username buffer?
|
| Yes.  Instead of changing the flawed code, there is a booby trap in 3.96
| to catch people who try to exploit it.  Attempts to trigger the security
| hole will never get to the flawed code, but will cause a "Crack attempt"
| syslog alert.  Also, the advertised banner did not change in 3.96, to make
| it difficult for a bad guy to tell the difference between a vulnerable
| 3.95 server and a non-vulnerable 3.96 server.
|
| Perhaps knowledge this might deter bad guys from trying to exploit this
| bug.  Then again, those of us who have a life have a hard time in
| fathoming the thought processes of those who do not.
|
| In the as-yet unreleased Pine 4.0 (and the current released imap-4.1
| toolkit), the banners changed, so there seemed to be no point in having
| the booby trap.  The flawed code is gone entirely in this version.
|
| Unless you have a special reason to continue to run IMAP2bis based
| servers, I recommend that you run the servers in the imap-4.1 toolkit:
|       ftp://ftp.cac.washington.edu/mail/imap.tar.Z
| since this version supports IMAP4rev1 and POP3 with UIDL.
|
| -- Mark --
|
| Unsolicited commercial email is NOT welcome at this email address.
+---