Two Problems in IMP 2

[jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)]

Crimelabs, Inc.                                      www.crimelabs.com

                     Security Advisory
         Crimelabs Security Advisory CLABS200003

          Title: IMP/MSWordView /tmp Problems
           Date: 22 April, 2000
    Application: IMP with MSWordView
       Platform: Any supported by IMP, MSWordView
       Severity: Moderate -- anyone can view Word document attachments
                 processed by IMP/MSWordView,users can fill up the disk
                 and DoS the IMP server
         Author: Jose Nazario (jose () thegeekempire net)
  Vendor Status: Contacted, fix available for permissions problem,
                 DoS workaround supplied by Crimelabs
            Web: (real soon now, we promise)

Description:

IMP is a PHP3 driven webmail solution providing full featured access to
email. MSWordView is an application that translates MicroSoft Word
documents into HTML. Used in conjunction users can view their Word
document attachments online without having to download them.

Two problems have been found in this setup, though, that warrant
attention. The first problem is the permissions left on the temporary file
used by MSWordView to format the document in HTML. They are left world
readable, possibly exposing private information to the world:

/tmp:
-rw-r--r--   1  nobody  nogroup     13722  Mar 8 17:28
  imp.word.2000-Mar-Wed_17:27:47__a986f65efecd5fd49e75b3d7f8312721.html

The second is a failure if the IMP process to clean up properly if the
MSWordView process does not exit correctly. It leaves files on the server
which will fill up the /tmp filesystem. Should enough accumulate, a denial
of service is possible due to a lack of disk space. This improper exit can
occur should the user stop the attachment viewing before completion or if
there is a problem in the setup. Exploiting this is simply a matter of
sending one's self several large Word documents as attachments, starting
to load them in IMP to view them online and stopping the loading. Disk
space will deplete and the server will cease operations soon enough.

The first problem has been fixed in the 2.2 beta versions of IMP. As of
version -pre11, released on 10 April, 2000, the umask is set correctly as
077 and the files are no longer accessible by the rest of the community.
IMP administrators who are leary of using beta software may wish to simply
work around this problem in IMP 2.0.11. In the file imp/lib/mimetypes.lib
there is the function that is used by MSWordView which creates the
temporary file. Simple create a directory that is 700 for nobody.nogroup
(or whoever runs the web daemon process) and use that directory, rather
than /tmp, for temporary storage.

Note that shell access is required to exploit this information leak.
Still, quite a number of servers exist in the world which mix shell and
webmail access, for which this would be a problem.

The second problem at this time has no fix, though a simple cron job that
removes temporary IMP files that are more than 30 minutes should work or
monitors IMP's temporary storage space and reacts similarily. This time
should be adjusted depending on the number of users on the server and the
size of the temporary space. An account is required to abuse this problem.

I would like to acknowledge Chuck Hagenbuch of the IMP development team
and thank him for a quick response. IMP's a neat tool, and provides an
excellent webmail solution, which is why it's become so popular.

References:

          IMP: http://www.horde.org/imp/
   MSWordView: http://www.wvWare.com/
A really good discussion by Mudge of the L0pht/@Stake on /tmp use:
         http://www.l0pht.com/advisories/watch.txt