Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

imapd and ipop3d hole

From: davids () SECNET COM (David Sacerdote)
Date: Sun, 2 Mar 1997 21:42:14 -0700

                        ######    ##   ##    ######
                        ##        ###  ##      ##
                        ######    ## # ##      ##
                            ##    ##  ###      ##
                        ###### .  ##   ## .  ######.

                            Secure Networks Inc.

                             Security Advisory
                               March 2, 1997


                     Buffer Overflow in imapd and ipop3d

A vulnerability exists within Mark Crispin's mail server toolkit that will
allow arbitrary individuals to obtain root access to servers running
imapd and ipop3d.  This vulnerability is present in both the POP3 and IMAP2bis
servers included in the PINE distribution, as well as the IMAP2bis and
IMAP4 servers included in Mr. Crispin's IMAP toolkit.


Technical Details
~~~~~~~~~~~~~~~~~
The vulnerable mail servers call a library routine to affect a Unix
"login", authenticating the user against it's password. A stack overrun
exists in this routine. In essence this will allow any client with the ability
to attempt a login to enter an overly long username to cause arbitrary machine
code to execute.

Both the POP and IMAP servers Mr. Crispin distributes discard supervisory
privileges sometime after this authentication phase. Unfortunately, the
overflow occurs before this happens, and the vulnerability will thus
allow an attacker superuser access.

The problematic routine is server_login(), which is in "log_xxx.c" in the
OS-dependent code tree of the server source distribution. The problem
occurs due to the routine's attempt to allow a case insensitive match on
the username, which it does by copying the username provided to the
routine into an automatic variable in the routine's stack.

The username buffer is MAILTMPLEN long, which defaults to 1024 bytes.
Unfortunately, the server's input buffer is greater than this, allowing a
remote client to feed the routine a username greater than 1024 bytes.
If the excess characters in this username contain a valid virtual memory
address, the routine will overwrite it's stack frame when copying the
username, causing the return from the routine to jump to an unexpected
location.

Interestingly, the buffer is converted to lowercase after being copied.
This provides a slight technical challenge, as the machine code required
to take over the server contains uppercase characters. However,
modifications to the "standard" stack overrun exploit code to reverse the
affects of this lowercasing were trivial. On i386 4.4BSD, the VM address
required to redirect server_login()'s return need not contain uppercase
characters.

The flawed code reads:

long server_login (char *user, char *pass, int argc, char *argv[])
{
        char tmp[MAILTMPLEN];
        struct passwd *pw = getpwnam (user);
                /* allow case-independent match */
        if(!pw) pw = getpwnam (lcase (strcpy (tmp, user)));

        <complete server login and return>
}


Impact
~~~~~~

Remote individuals, who do not have a valid username and password for
the mail server, can obtain root access to systems running a vulnerable
IMAP or POP server.


Vulnerable Systems
~~~~~~~~~~~~~~~~~~

Any system running Mark Crispin's POP or IMAP server, of a release
earlier than 4.1beta is vulnerable.  To determine whether your system
is vulnerable, telnet to ports 109, 110, 143 and 220.  If you see a banner
looking like:

* OK example.com IMAP2bis Service 7.8(92) at Mon, 3 Mar 1997 12:00:00
-0500 (EST)

or:

* OK example.com IMAP4 v10.00 server ready

or:

+OK example.com POP3 3.0(10) w/IMAP client (Report problems in this server
to MRC () CAC Washington edu) at Mon, 3 Mar 1998 12:00:00 -0500 (EST)

Then your system is vulnerable.  If you see "POP3 3.3" or "IMAP4rev1"
or later, your POP or IMAP server is not vulnerable.

POP servers not derived from Mark Crispin's code, including the somewhat
confusingly named "pop3d" from the University of California at Davis are
not vulnerable to the attack described in this advisory.  Similarly,
the University of California at Berkeley popper, and derived POP servers,
including the Qualcomm popper, are not vulnerable to this attack.


Fix Information
~~~~~~~~~~~~~~~

As a temporary workaround, you can disable the POP and IMAP services
in /etc/inetd.conf, and then kill and restart inetd.

You can fix the problem in the source yourself, by changing the
server_login() function to read:

        char tmp[MAILTMPLEN];
        struct passwd *pw = getpwnam (user);

        if(!pw) {
                strncpy(tmp, user, MAILTMPLEN - 1);
                pw = getpwnam(lcase(tmp));

Or, as a final option, you can switch to the IMAP 4.1 beta distribution,
which can be found at ftp://ftp.cac.washington.edu/mail/imap.tar.Z.


Additional Information
~~~~~~~~~~~~~~~~~~~~~~

If you have any questions about this advisory, feel free to contact me,
by sending mail to davids () secnet com  If you wish to encrypt your
messages to me, feel free to use the following PGP public key.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCNAzJ4qJAAAAEEAOgB7mooQ6NgzcUSIehKUufGsyojutC7phVXZ+p8FnHLLZNB
BLQEtj5kmfww2A2pR29q4rgPeqEUOjWPlLNdSLby3NI8yKz1AQSQLHAwIDXt/lku
8QXClaV6pNIaQSN8cnyyvjH6TYF778yZhYz0mwLqW6dU5whHtP93ojDw1UhtAAUR
tCtEYXZpZCBTYWNlcmRvdGUgPGRhdmlkc0BzaWxlbmNlLnNlY25ldC5jb20+
=LtL9
-----END PGP PUBLIC KEY BLOCK-----

Further information about the Interactive Mail Aaccess Protocol can be
found in RFCs 1731, 1732, 1733, 2060, 2061, 2062, 2086, 2087, 2088, and
2095.  Further information about the Post Office Protocol can be found
in RFCs 1939 and 1957.  Copies of RFCs can be found at
http://ds.internic.net/rfc/rfcXXXX.txt

For further information about Secure Networks Inc, including product
information, past advisories, and papers, see http://www.secnet.com

If you wish to obtain Secure Networks advisories via our mailing list,
please send mail to sni-advisories-request () secnet com, with a single line
reading:
subscribe sni-advisories


Copyright
~~~~~~~~~

The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.

imapd and ipop3d fall under the following license:

Copyright 1997 by the University of Washington

Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted, provided
that the above copyright notice appears in all copies and that both the
above copyright notice and this permission notice appear in supporting
documentation, and that the name of the University of Washington not be
used in advertising or publicity pertaining to distribution of the software
without specific, written prior permission.  This software is made
available "as is", and
THE UNIVERSITY OF WASHINGTON DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IN
NO EVENT SHALL THE UNIVERSITY OF WASHINGTON BE LIABLE FOR ANY SPECIAL,
INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT
(INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Previous By Date Next
Previous By Thread Next

Current thread: