Forwarded by Frank Kruse <[EMAIL PROTECTED]> ----------------------- Original Message ----------------------- From: "Auteria Wally Winzer Jr." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: "Auteria Wally Winzer Jr." <[EMAIL PROTECTED]> Date: Sat, 1 Jun 2002 19:30:28 -0700 Subject: Fw: SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw ----
I thought this should be sent to the IMAP mailing list. Wally Winzer Jr. ----- Original Message ----- From: "3APA3A" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: "VULN-DEV" <[EMAIL PROTECTED]> Sent: Saturday, June 01, 2002 05:14 Subject: SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw > > Original version > http://www.security.nnov.ru/advisories/courier.asp > > Title: Courier CPU exhaustion > Author: ZARAZA <[EMAIL PROTECTED]> > Date: May, 31 2002 > Affected: courier-0.38.1 > Vendor: Double Precision, Inc. > Risk: Low to average > Remote: Yes > Exploitable: Yes > Vendor notified: May, 20 2002 > Product URL: http://www.courier-mta.org > SECURITY.NNOV URL: http://www.security.nnov.ru > Advanced info: http://www.security.nnov.ru/search/news.asp?binid=2055 > > Introduction: > > Courier is widely used suite of e-mail services written with security in > mind. > > Problem: > > A loop with unchecked iteration counter controlled by user input may > cause courier to freeze for over the minute with 100% CPU usage on > single command or message. > > Details: > > rfc822_parsedt.c: > > unsigned day=0, mon=0, year; > ... > unsigned y; > ... > if (year < 1970) return (0); > ... > for (y=1970; y<year; y++) ... > > year may be any unsigned integer. > > > Vendor: > > Sam Varshavchik <[EMAIL PROTECTED]> was contacted on May, 20. > Problem was patched in CVS version on the same day. > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > Bonus on imap-uw: > > Imap-uw allows user to access any file he could access locally. It's not > a bug it's insecurity by design (it was not created with security in > mind ;-). According FAQ from vendor's web site (it's not mentioned in a > FAQ inside program distribution): > > -=-=-=-=-=-=- > > 5.1 I see that the IMAP server allows access to arbitary files on the > system, including /etc/passwd! How do I disable this? > > You should not worry about this if your IMAP users are allowed shell > access. The IMAP server does not permit any access that the user can > not have via the shell. If, and only if, you deny your IMAP users shell > access, you may want to consider one of three choices. Note that these > choices reduce IMAP functionality, and may have undesirable side > effects. Each of these choices involves an edit to file > src/osdep/unix/env_unix.c > > The first (and recommended) choice is to set restrictBox as described > in file CONFIG. This will disable access to the filesystem root, to > other users' home directory, and to superior directory. > > The second (and strongly NOT recommended) choice is to set closedBox as > described in file CONFIG. This puts each IMAP session into a so-called > "chroot jail", and thus setting this option is extremely dangerous; it > can make your system much less secure and open to root compromise > attacks. So do not use this option unless you are absolutely certain > that you understand all the issues of a "chroot jail." > > The third choice is to rewrite routine mailboxfile() to implement > whatever mapping from mailbox name to filesystem name (and > restrictions) that you wish. This is the most general choice. As a > guide, you can see at the start of routine mailboxfile() what the > restrictBox choice does. > > -=-=-=-=-=- > > It should be noted that restrictBox/closedBox is not described in > neither CONFIG nor any other document from program distribution at all > (as for imap-2001a)... And even if you smart enough to check the FAQ on > the web site after you red the FAQ in source distribution restrictBox > can be bypassed in case of any Windows builds (for example > http://sourceforge.net/projects/uw-imap-cygwin/) because '\\' symbol is > never checked. Hope nobody uses UW under NT or a version from OS ports > distribution in production environment because as far as I can see port > maintainers do not change the value of closedBox :). > > I'm not sure if there are utilities to access file system via imap-uw, > a created a small set of tools you can download imaptools.tgz from > http://www.security.nnov.ru/search/news.asp?binid=2063 > > it includes: > > imapget.c - to retrieve file via imap-uw, usage example: > imapget imap.host.name /etc/passwd > passwd > it should work for both text and binary files. > > imapls.c - to get a file listing, usage example: > imapls imaphostname /tmp/\* > ls-tmp > > imaprm.c, imapmkdir.c - hope you catch the idea. > > it's also possible to create file with any name in mailbox format. > > > -- > http://www.security.nnov.ru > /\_/\ > { , . } |\ > +--oQQo->{ ^ }<-----+ \ > | ZARAZA U 3APA3A } > +-------------o66o--+ / > |/ > You know my name - look up my number (The Beatles) > --------------------- Original Message Ends --------------------
