Re: response to the bugtraq report of buffer overruns in imapd LIST command

[mouse () RODENTS MONTREAL QC CA (der Mouse)]

> Can we please [] discuss the facts rationally?

> 1) There is no added vulnerability at all for a UNIX system which
>    permits shell access.

This is not quite true.  There is no added vulnerability for a system
which permits shell access with the same <originating host, password>
pair which gives mailbox access.

One site I know of, for example, is considering nuking all ways to log
in from offsite with a reusable password - but you can still do that
for mail, and you can still get a shell with (eg) ssh.

>    I don't have sufficient data to know what percentage of UW imapd
>    sites run IMAP servers on top of shell UNIX systems as opposed to
>    closed systems.

Then it seems to me that you should assume "most damage", which in this
case means that you should assume that a significant number of them
*are* such that this is a real problem for them.

> 2) The impact of the problem is that an authorized user may obtain
>    unauthorized shell access to a closed system.

More specifically, mailbox access may be leveraged into shell access.
I gave one plausible example above where they are not normally
equivalent.  A "closed system" (in the sense of one which doesn't
normally offer shell access to vanilla users at all) is another.  A
third might be one where email and shell access both exist, but the
password databases for them are different.

>    Unless the system also has other, more severe, security problems,
>    the consequences are modest and it is not difficult to identify
>    the perpetrator.

I'll thank you to let *me* determine how severe such a consequence is
for my system, thankyouverymuch.

> Last but not least, I am very interested in Kris Kennaway's claim
> that "It may also be possible to break out of the chroot jail on some
> platforms."  If true, it represents a huge root-level security hole
> on those platforms.  I simply do not believe the claim.  I would like
> to know if there is some substance to this claim, or if it was mere
> speculation.

Once you're running as root, it borders on trivial to break out of a
chroot jail on many (most? all?) platforms.

Getting to root in the first place is the interesting part.  Depending
on the OS and perhaps on what's in the jail, this can be anywhere from
trivial to impossible....

If there's a way to break out of a chroot jail *without* first managing
to end up running as root, I really want to see it.  (On a system that
restricts chroot() to root, of course.)

                                        der Mouse

                               mouse () rodents montreal qc ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B