Bugtraq mailing list archives

Re: response to the bugtraq report of buffer overruns in imapd LIST command

From: kris () FREEBSD ORG (Kris Kennaway)
Date: Mon, 17 Apr 2000 18:30:24 -0700


On Mon, 17 Apr 2000, Mark Crispin wrote:

As was indicated, all privileges are dropped at that point.  There is nothing
that can be done by crashing imapd this way that can not also be done (much
easier) by logging in to the UNIX shell.


This does not seem to be enough: many people run mail systems which don't
provide shell access to their mail users - it's a resonable expectation
that they won't be able to get shell access to any account by exploiting
vulnerabilities in the imap daemon.

On the other hand, if you're not convinced this is a safe assumption given
the state of the imapd code then you should state so clearly to your users
in the product documentation so they know the risk and can make
appropriate choices regarding the suitability of the product before
installation.

In the meantime, I will be adding a warning stating the above to the
FreeBSD port of imap-uw so that at least our users know the risks.

If you have a "closed" system (which is the only type of system where this bug
matters), a much better solution is to insert the following instruction in
routine pw_login() in env_unix.c:
  if (chroot (home ? home : ANONYMOUSHOME)) chroot ("/tmp");


This is not enough: it still allows users to obtain shell-level access to
the machine when they otherwise may not have. It may also be possible to
break out of the chroot jail on some platforms.

Another important measure is to use StackGuard.  I am very surprised at the
implication that RedHat doesn't use StackGuard.  Is that really true?


StackGuard doesn't run on non-Linux systems - it's not a solution for the
rest of us: the code needs to be audited thoroughly at the source. At the
very least you could make a pass over it with something like ITS and
replace the potentially dangerous string functions with their
bounds-checked alternatives..

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe () alum mit edu>

Current thread:

Re: More vulnerabilities in FP, (continued)
- - - Re: More vulnerabilities in FP The Cyberiad (Apr 19)
    - AVM's Statement eAX [Teelicht] (Apr 19)
    - Adtran DoS Mike Ireton (Apr 19)
    - FreeBSD Security Advisory: FreeBSD-SA-00:13.generic-nqs FreeBSD Security Officer (Apr 19)
    - Re: response to the bugtraq report of buffer overruns in imapd LIST command Warner Losh (Apr 17)
    - pwdump2 for Active Directory Todd Sabin (Apr 18)
    - Re: response to the bugtraq report of buffer overruns in imapd LIST command Henrik Nordstrom (Apr 18)
    - Cooments on the dvwssr.dll vulnerability threads Iván Arce (Apr 17)
    - Re: Cooments on the dvwssr.dll vulnerability threads David LeBlanc (Apr 18)
    - Last call for extended abstracts - Raid 2000 - Deadline is April 30th Herve Debar (Apr 18)
    - Re: response to the bugtraq report of buffer overruns in imapd LIST command Kris Kennaway (Apr 17)
  - Re: more problems with that POS dansie cart software! Pete Holsberg (Apr 16)
- Re: Back Door in Commercial Shopping Cart Kragen Sitaker (Apr 14)
- Re: Back Door in Commercial Shopping Cart tyson (Apr 14)