Vulnerability Development mailing list archives
Re: SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw
From: Stan Bubrouski <stan () ccs neu edu>
Date: Sat, 01 Jun 2002 19:12:33 -0400
3APA3A wrote:
Original version http://www.security.nnov.ru/advisories/courier.asp Title: Courier CPU exhaustion Author: ZARAZA <3APA3A () security nnov ru> Date: May, 31 2002 Affected: courier-0.38.1 Vendor: Double Precision, Inc. Risk: Low to average Remote: Yes Exploitable: Yes Vendor notified: May, 20 2002 Product URL: http://www.courier-mta.org SECURITY.NNOV URL: http://www.security.nnov.ru Advanced info: http://www.security.nnov.ru/search/news.asp?binid=2055 Introduction: Courier is widely used suite of e-mail services written with security in mind. Problem: A loop with unchecked iteration counter controlled by user input may cause courier to freeze for over the minute with 100% CPU usage on single command or message. Details: rfc822_parsedt.c: unsigned day=0, mon=0, year; ... unsigned y; ... if (year < 1970) return (0); ... for (y=1970; y<year; y++) ... year may be any unsigned integer. Vendor: Sam Varshavchik <mrsam () courier-mta com> was contacted on May, 20. Problem was patched in CVS version on the same day.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=Bonus on imap-uw: Imap-uw allows user to access any file he could access locally. It's not a bug it's insecurity by design (it was not created with security in mind ;-). According FAQ from vendor's web site (it's not mentioned in a FAQ inside program distribution): -=-=-=-=-=-=- 5.1 I see that the IMAP server allows access to arbitary files on the system, including /etc/passwd! How do I disable this?
This issue with uw-imapd has been known about for years and years and years. I brought this up about two years ago and I noticed others had as well. Changing one if statement in a source file fixes the behaviour and yes it is a FEATURE not a BUG. I don't recall the exact location or if statement to change but looking through uw-imapd archives is how I found it out a couple years ago, and I recommend you do the same.
-Stan
Current thread:
- SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw 3APA3A (Jun 01)
- Re: SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw Stan Bubrouski (Jun 01)