Date: Fri, 07 Mar 1997 09:27:21 -0600 From: Jon Loeliger <jdl@jdl.com> To: security@freebsd.org Subject: Security problem with imapd and ipop3d Message-ID: <199703071527.JAA06704@chrome.jdl.com>
next in thread | raw e-mail | index | archive | help
Security,
Don't know if you guys saw this or were already aware, but
you guys over there in FreeBSD Land might want to know too.
Although not strictly FreeBSD in origin, there are FreeBSD
packages to which this applies....
Do what thou wilt with this.
jdl
----------------------------------------------------------------
Date--Sun, 2 Mar 1997 21:42:14 -0700
From--David Sacerdote <davids@SECNET.COM>
Secure Networks Inc.
Security Advisory
March 2, 1997
Buffer Overflow in imapd and ipop3d
A vulnerability exists within Mark Crispin's mail server toolkit that will
allow arbitrary individuals to obtain root access to servers running
imapd and ipop3d. This vulnerability is present in both the POP3 and IMAP2bis
servers included in the PINE distribution, as well as the IMAP2bis and
IMAP4 servers included in Mr. Crispin's IMAP toolkit.
Technical Details
~~~~~~~~~~~~~~~~~
The vulnerable mail servers call a library routine to affect a
Unix "login", authenticating the user against it's password. A
stack overrun exists in this routine. In essence this will allow
any client with the ability to attempt a login to enter an overly
long username to cause arbitrary machine code to execute.
Both the POP and IMAP servers Mr. Crispin distributes discard
supervisory privileges sometime after this authentication phase.
Unfortunately, the overflow occurs before this happens, and the
vulnerability will thus allow an attacker superuser access.
The problematic routine is server_login(), which is in
"log_xxx.c" in the OS-dependent code tree of the server source
distribution. The problem occurs due to the routine's attempt to
allow a case insensitive match on the username, which it does by
copying the username provided to the routine into an automatic
variable in the routine's stack.
The username buffer is MAILTMPLEN long, which defaults to 1024
bytes. Unfortunately, the server's input buffer is greater than
this, allowing a remote client to feed the routine a username
greater than 1024 bytes. If the excess characters in this
username contain a valid virtual memory address, the routine will
overwrite it's stack frame when copying the username, causing the
return from the routine to jump to an unexpected location.
Interestingly, the buffer is converted to lowercase after being
copied. This provides a slight technical challenge, as the
machine code required to take over the server contains uppercase
characters. However, modifications to the "standard" stack
overrun exploit code to reverse the affects of this lowercasing
were trivial. On i386 4.4BSD, the VM address required to redirect
server_login()'s return need not contain uppercase
characters.
The flawed code reads:
long server_login (char *user, char *pass, int argc, char *argv[])
{
char tmp[MAILTMPLEN];
struct passwd *pw = getpwnam (user);
/* allow case-independent match */
if(!pw) pw = getpwnam (lcase (strcpy (tmp, user)));
<complete server login and return>
}
Impact
~~~~~~
Remote individuals, who do not have a valid username and password for
the mail server, can obtain root access to systems running a vulnerable
IMAP or POP server.
Vulnerable Systems
~~~~~~~~~~~~~~~~~~
Any system running Mark Crispin's POP or IMAP server, of a release
earlier than 4.1beta is vulnerable. To determine whether your system
is vulnerable, telnet to ports 109, 110, 143 and 220. If you see a banner
looking like:
* OK example.com IMAP2bis Service 7.8(92) at Mon, 3 Mar 1997 12:00:00
-0500 (EST)
or:
* OK example.com IMAP4 v10.00 server ready
or:
+OK example.com POP3 3.0(10) w/IMAP client (Report problems in this server
to MRC@CAC.Washington.edu) at Mon, 3 Mar 1998 12:00:00 -0500 (EST)
Then your system is vulnerable. If you see "POP3 3.3" or "IMAP4rev1"
or later, your POP or IMAP server is not vulnerable.
POP servers not derived from Mark Crispin's code, including the somewhat
confusingly named "pop3d" from the University of California at Davis are
not vulnerable to the attack described in this advisory. Similarly,
the University of California at Berkeley popper, and derived POP servers,
including the Qualcomm popper, are not vulnerable to this attack.
Fix Information
~~~~~~~~~~~~~~~
As a temporary workaround, you can disable the POP and IMAP services
in /etc/inetd.conf, and then kill and restart inetd.
You can fix the problem in the source yourself, by changing the
server_login() function to read:
char tmp[MAILTMPLEN];
struct passwd *pw = getpwnam (user);
if(!pw) {
strncpy(tmp, user, MAILTMPLEN - 1);
pw = getpwnam(lcase(tmp));
Or, as a final option, you can switch to the IMAP 4.1 beta distribution,
which can be found at ftp://ftp.cac.washington.edu/mail/imap.tar.Z.
Additional Information
~~~~~~~~~~~~~~~~~~~~~~
If you have any questions about this advisory, feel free to contact me,
by sending mail to davids@secnet.com If you wish to encrypt your
messages to me, feel free to use the following PGP public key.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQCNAzJ4qJAAAAEEAOgB7mooQ6NgzcUSIehKUufGsyojutC7phVXZ+p8FnHLLZNB
BLQEtj5kmfww2A2pR29q4rgPeqEUOjWPlLNdSLby3NI8yKz1AQSQLHAwIDXt/lku
8QXClaV6pNIaQSN8cnyyvjH6TYF778yZhYz0mwLqW6dU5whHtP93ojDw1UhtAAUR
tCtEYXZpZCBTYWNlcmRvdGUgPGRhdmlkc0BzaWxlbmNlLnNlY25ldC5jb20+
=LtL9
-----END PGP PUBLIC KEY BLOCK-----
Further information about the Interactive Mail Aaccess Protocol can be
found in RFCs 1731, 1732, 1733, 2060, 2061, 2062, 2086, 2087, 2088, and
2095. Further information about the Post Office Protocol can be found
in RFCs 1939 and 1957. Copies of RFCs can be found at
http://ds.internic.net/rfc/rfcXXXX.txt
For further information about Secure Networks Inc, including product
information, past advisories, and papers, see http://www.secnet.com
If you wish to obtain Secure Networks advisories via our mailing list,
please send mail to sni-advisories-request@secnet.com, with a single line
reading:
subscribe sni-advisories
Copyright
~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.
imapd and ipop3d fall under the following license:
Copyright 1997 by the University of Washington
Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted, provided
that the above copyright notice appears in all copies and that both the
above copyright notice and this permission notice appear in supporting
documentation, and that the name of the University of Washington not be
used in advertising or publicity pertaining to distribution of the software
without specific, written prior permission. This software is made
available "as is", and
THE UNIVERSITY OF WASHINGTON DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IN
NO EVENT SHALL THE UNIVERSITY OF WASHINGTON BE LIABLE FOR ANY SPECIAL,
INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT
(INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703071527.JAA06704>