Vulnerability Development mailing list archives

SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw

From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Sat, 1 Jun 2002 16:14:15 +0400

Original version
http://www.security.nnov.ru/advisories/courier.asp

Title:                  Courier CPU exhaustion
Author:                 ZARAZA <3APA3A () security nnov ru>
Date:                   May, 31 2002
Affected:               courier-0.38.1
Vendor:                 Double Precision, Inc.
Risk:                   Low to average
Remote:                 Yes
Exploitable:            Yes
Vendor notified:        May, 20 2002
Product URL:            http://www.courier-mta.org
SECURITY.NNOV URL:      http://www.security.nnov.ru
Advanced info:          http://www.security.nnov.ru/search/news.asp?binid=2055

Introduction:

Courier is widely used suite of e-mail services written with security in
mind.

Problem:

A  loop  with  unchecked  iteration counter controlled by user input may
cause  courier  to  freeze  for  over  the minute with 100% CPU usage on
single command or message.

Details:

rfc822_parsedt.c:

        unsigned day=0, mon=0, year;
        ...
        unsigned y;
        ...
        if (year < 1970)        return (0);
        ...
        for (y=1970; y<year; y++) ...

year may be any unsigned integer.


Vendor:

 Sam  Varshavchik  <mrsam () courier-mta com>  was  contacted  on  May, 20.
 Problem was patched in CVS version on the same day.
  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Bonus on imap-uw:

Imap-uw allows user to access any file he could access locally. It's not
a  bug  it's  insecurity  by design (it was not created with security in
mind  ;-). According FAQ from vendor's web site (it's not mentioned in a
FAQ inside program distribution):

-=-=-=-=-=-=-

5.1  I  see  that the IMAP server allows access to arbitary files on the
system, including /etc/passwd! How do I disable this?

 You  should  not  worry about this if your IMAP users are allowed shell
 access.  The  IMAP  server does not permit any access that the user can
 not have via the shell. If, and only if, you deny your IMAP users shell
 access,  you may want to consider one of three choices. Note that these
 choices  reduce  IMAP  functionality,  and  may  have  undesirable side
 effects.   Each   of   these   choices   involves   an   edit  to  file
 src/osdep/unix/env_unix.c

 The  first  (and recommended) choice is to set restrictBox as described
 in  file  CONFIG.  This  will disable access to the filesystem root, to
 other users' home directory, and to superior directory.

 The second (and strongly NOT recommended) choice is to set closedBox as
 described  in file CONFIG. This puts each IMAP session into a so-called
 "chroot  jail", and thus setting this option is extremely dangerous; it
 can  make  your  system  much  less  secure and open to root compromise
 attacks.  So  do  not use this option unless you are absolutely certain
 that you understand all the issues of a "chroot jail."

 The  third  choice  is  to  rewrite  routine mailboxfile() to implement
 whatever   mapping   from   mailbox   name   to  filesystem  name  (and
 restrictions)  that  you  wish.  This  is the most general choice. As a
 guide,  you  can  see  at  the  start of routine mailboxfile() what the
 restrictBox choice does.

-=-=-=-=-=-

 It  should  be  noted  that  restrictBox/closedBox  is not described in
 neither  CONFIG nor any other document from program distribution at all
 (as for imap-2001a)... And even if you smart enough to check the FAQ on
 the  web  site after you red the FAQ in source distribution restrictBox
 can   be   bypassed   in  case  of  any  Windows  builds  (for  example
 http://sourceforge.net/projects/uw-imap-cygwin/) because '\\' symbol is
 never  checked. Hope nobody uses UW under NT or a version from OS ports
 distribution in production environment because as far as I can see port
 maintainers do not change the value of closedBox :).

 I'm  not sure if there are utilities to access file system via imap-uw,
 a created a small set of tools you can download imaptools.tgz from
 http://www.security.nnov.ru/search/news.asp?binid=2063

 it includes:

  imapget.c - to retrieve file via imap-uw, usage example:
    imapget imap.host.name /etc/passwd > passwd
    it should work for both text and binary files.

  imapls.c - to get a file listing, usage example:
    imapls imaphostname /tmp/\* > ls-tmp

  imaprm.c, imapmkdir.c - hope you catch the idea.

  it's also possible to create file with any name in mailbox format.

 
-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)
Current thread:

SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw 3APA3A (Jun 01)
- Re: SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw Stan Bubrouski (Jun 01)