Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw

From: Stan Bubrouski <stan () ccs neu edu>
Date: Sat, 01 Jun 2002 19:12:33 -0400
3APA3A wrote:

Original version
http://www.security.nnov.ru/advisories/courier.asp

Title:                  Courier CPU exhaustion
Author:                 ZARAZA <3APA3A () security nnov ru>
Date:                   May, 31 2002
Affected:               courier-0.38.1
Vendor:                 Double Precision, Inc.
Risk:                   Low to average
Remote:                 Yes
Exploitable:            Yes
Vendor notified:        May, 20 2002
Product URL:            http://www.courier-mta.org
SECURITY.NNOV URL:      http://www.security.nnov.ru
Advanced info:          http://www.security.nnov.ru/search/news.asp?binid=2055

Introduction:

Courier is widely used suite of e-mail services written with security in
mind.

Problem:

A  loop  with  unchecked  iteration counter controlled by user input may
cause  courier  to  freeze  for  over  the minute with 100% CPU usage on
single command or message.

Details:

rfc822_parsedt.c:

        unsigned day=0, mon=0, year;
        ...
        unsigned y;
        ...
        if (year < 1970)        return (0);
        ...
        for (y=1970; y<year; y++) ...

year may be any unsigned integer.


Vendor:

 Sam  Varshavchik  <mrsam () courier-mta com>  was  contacted  on  May, 20.
 Problem was patched in CVS version on the same day.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 

Bonus on imap-uw:

Imap-uw allows user to access any file he could access locally. It's not
a  bug  it's  insecurity  by design (it was not created with security in
mind  ;-). According FAQ from vendor's web site (it's not mentioned in a
FAQ inside program distribution):

-=-=-=-=-=-=-

5.1  I  see  that the IMAP server allows access to arbitary files on the
system, including /etc/passwd! How do I disable this?
This issue with uw-imapd has been known about for years and years and years. I brought this up about two years ago and I noticed others had as well. Changing one if statement in a source file fixes the behaviour and yes it is a FEATURE not a BUG. I don't recall the exact location or if statement to change but looking through uw-imapd archives is how I found it out a couple years ago, and I recommend you do the same. 

-Stan
Previous By Date Next
Previous By Thread Next

Current thread: