Date: Wed, 26 May 1999 20:37:13 +0100
From: Chris Evans <[email protected]>
To: [email protected]Subject: Remote vulnerability in pop2d
Hi
Firstly, sorry if any details are hazy - this is from memory (it's two
months since I last looked at this). This bug concerns the pop-2 daemon,
which is a part of the Washington University imap package.
I've been waiting for a CERT advisory, but one doesn't seem to be
forthcoming. Two and a half months is a long time. Also, the problem has
been fixed for a long time. I'm posting because
a) A fixed full release is available, so people should know about it
b) The flaw is fairly basic and easy to spot, so active exploitation could
well be happening
Quick details
=============
Compromise possible: remote users can get a shell as user "nobody"
If: runing pop-2d v4.4 or earlier
Fixed version: imap-4.5, available now.
Not vulnerable
==============
RedHat-6.0 isn't vulnerable because imap-4.5 was shipped.
Vulnerable
==========
Anyone who shipped the pop-2 component of imap-4.4 or earlier, including
earlier RedHat releases
Details of flaw
===============
pop-2 and pop-3 support the concept of an "anonymous proxy" whereby remote
users can connect and open an imap mailbox on _any server they have a
valid account on_. An attacker connects to the vulnerable pop-2 port and
connects it to an imap server under their control. Once logged on, issuing
a "FOLD" command with a long arg will cause an overflow of a stack based
buffer.
The arg to FOLD must be somewhere around 1000 bytes - not much bigger, not
much smaller. Look at the source.
Additional
==========
I think the concept of "anonymous proxy" is just fundamentally insecure.
It opens up a large code path for remote usrs to explore, i.e. the
protocol parsing of imap, etc.
The author of imap very responsibly includes a compile time flag to
disable this in 4.5.
Better still, RedHat-6.0 ships with the proxy disabled.
Cheers
Chris
