Hello,
Mandrake 6 has the imap-4.5-5mdk package.
Also, imap is not installed by default. And even if you install the imap
package, pop2 is commented out in /etc/inetd.conf.
Jean-Michel Dault
[EMAIL PROTECTED]
On Wed, 26 May 1999, James J. Capone wrote:
> Date: Wed, 26 May 1999 17:01:40 -0400
> From: "James J. Capone" <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Subject: [expert] FW: Remote vulnerability in pop2d
>
>
>
> -----Original Message-----
> From: Chris Evans [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, May 26, 1999 3:37 PM
> To: [EMAIL PROTECTED]
> Subject: Remote vulnerability in pop2d
>
> Hi
>
> Firstly, sorry if any details are hazy - this is from memory (it's two
> months since I last looked at this). This bug concerns the pop-2 daemon,
> which is a part of the Washington University imap package.
>
> I've been waiting for a CERT advisory, but one doesn't seem to be
> forthcoming. Two and a half months is a long time. Also, the problem has
> been fixed for a long time. I'm posting because
>
> a) A fixed full release is available, so people should know about it
> b) The flaw is fairly basic and easy to spot, so active exploitation could
> well be happening
>
> Quick details
> =============
>
> Compromise possible: remote users can get a shell as user "nobody"
> If: runing pop-2d v4.4 or earlier
>
> Fixed version: imap-4.5, available now.
>
>
> Not vulnerable
> ==============
> RedHat-6.0 isn't vulnerable because imap-4.5 was shipped.
>
> Vulnerable
> ==========
>
> Anyone who shipped the pop-2 component of imap-4.4 or earlier, including
> earlier RedHat releases
>
>
> Details of flaw
> ===============
>
> pop-2 and pop-3 support the concept of an "anonymous proxy" whereby remote
> users can connect and open an imap mailbox on _any server they have a
> valid account on_. An attacker connects to the vulnerable pop-2 port and
> connects it to an imap server under their control. Once logged on, issuing
> a "FOLD" command with a long arg will cause an overflow of a stack based
> buffer.
>
> The arg to FOLD must be somewhere around 1000 bytes - not much bigger, not
> much smaller. Look at the source.
>
> Additional
> ==========
>
> I think the concept of "anonymous proxy" is just fundamentally insecure.
> It opens up a large code path for remote usrs to explore, i.e. the
> protocol parsing of imap, etc.
>
> The author of imap very responsibly includes a compile time flag to
> disable this in 4.5.
>
> Better still, RedHat-6.0 ships with the proxy disabled.
>
>
> Cheers
> Chris
>
