Bugtraq mailing list archives
Two Problems in IMP 2
From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Mon, 24 Apr 2000 18:53:28 -0400
Crimelabs, Inc. www.crimelabs.com Security Advisory Crimelabs Security Advisory CLABS200003 Title: IMP/MSWordView /tmp Problems Date: 22 April, 2000 Application: IMP with MSWordView Platform: Any supported by IMP, MSWordView Severity: Moderate -- anyone can view Word document attachments processed by IMP/MSWordView,users can fill up the disk and DoS the IMP server Author: Jose Nazario (jose () thegeekempire net) Vendor Status: Contacted, fix available for permissions problem, DoS workaround supplied by Crimelabs Web: (real soon now, we promise) Description: IMP is a PHP3 driven webmail solution providing full featured access to email. MSWordView is an application that translates MicroSoft Word documents into HTML. Used in conjunction users can view their Word document attachments online without having to download them. Two problems have been found in this setup, though, that warrant attention. The first problem is the permissions left on the temporary file used by MSWordView to format the document in HTML. They are left world readable, possibly exposing private information to the world: /tmp: -rw-r--r-- 1 nobody nogroup 13722 Mar 8 17:28 imp.word.2000-Mar-Wed_17:27:47__a986f65efecd5fd49e75b3d7f8312721.html The second is a failure if the IMP process to clean up properly if the MSWordView process does not exit correctly. It leaves files on the server which will fill up the /tmp filesystem. Should enough accumulate, a denial of service is possible due to a lack of disk space. This improper exit can occur should the user stop the attachment viewing before completion or if there is a problem in the setup. Exploiting this is simply a matter of sending one's self several large Word documents as attachments, starting to load them in IMP to view them online and stopping the loading. Disk space will deplete and the server will cease operations soon enough. The first problem has been fixed in the 2.2 beta versions of IMP. As of version -pre11, released on 10 April, 2000, the umask is set correctly as 077 and the files are no longer accessible by the rest of the community. IMP administrators who are leary of using beta software may wish to simply work around this problem in IMP 2.0.11. In the file imp/lib/mimetypes.lib there is the function that is used by MSWordView which creates the temporary file. Simple create a directory that is 700 for nobody.nogroup (or whoever runs the web daemon process) and use that directory, rather than /tmp, for temporary storage. Note that shell access is required to exploit this information leak. Still, quite a number of servers exist in the world which mix shell and webmail access, for which this would be a problem. The second problem at this time has no fix, though a simple cron job that removes temporary IMP files that are more than 30 minutes should work or monitors IMP's temporary storage space and reacts similarily. This time should be adjusted depending on the number of users on the server and the size of the temporary space. An account is required to abuse this problem. I would like to acknowledge Chuck Hagenbuch of the IMP development team and thank him for a quick response. IMP's a neat tool, and provides an excellent webmail solution, which is why it's become so popular. References: IMP: http://www.horde.org/imp/ MSWordView: http://www.wvWare.com/ A really good discussion by Mudge of the L0pht/@Stake on /tmp use: http://www.l0pht.com/advisories/watch.txt
Current thread:
- netkill - generic remote DoS attack stanislav shalunov (Apr 21)
- Buffer Overflow in version .14 Jesse Schachter (Apr 24)
- Re: Buffer Overflow in version .14 Alan DeKok (Apr 25)
- man-exploit for MANPAGER environment and a comment about the IMAP vuln psychoid () GMX NET (Apr 24)
- Re: man-exploit for MANPAGER environment... Mariusz Woloszyn (Apr 26)
- mtr-0.41 root exploit Przemyslaw Frasunek (Apr 24)
- Re: mtr-0.41 root exploit Kris Kennaway (Apr 24)
- Two Problems in IMP 2 Jose Nazario (Apr 24)
- Re: Two Problems in IMP 2 Ivan E. Moore II (Apr 25)
- Solaris x86 Xsun overflow. Theodor Ragnar Gislason (Apr 24)
- Solaris 7 x86 lp exploit Theodor Ragnar Gislason (Apr 24)
- Re: Solaris 7 x86 lp exploit Laurent LEVIER (Apr 24)
- Re: netkill - generic remote DoS attack stanislav shalunov (Apr 24)
- Solaris 7 x86 lpset exploit. Theodor Ragnar Gislason (Apr 24)
- Re: Solaris 7 x86 lpset exploit. Laurent LEVIER (Apr 24)
- Re: Solaris 7 x86 lpset exploit. Theodor Ragnar Gislason (Apr 25)
- Re: Solaris 7 x86 lpset exploit. Andrew Brown (Apr 26)
- Modifying NT credential and RAZOR's analysis of dvwsrr.dll Iván Arce (Apr 26)
- Re: Solaris 7 x86 lpset exploit. Laurent LEVIER (Apr 24)
- Buffer Overflow in version .14 Jesse Schachter (Apr 24)