Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » wu-imap buffer overflow condition

wu-imap buffer overflow condition

by Nikola Strahija on May 11th, 2002 Wu-imapd is an easy to set-up IMAP daemon created and distributed by Washington University. Malicious user is able to construct a malformed request which will overflow an internal buffer, and run code on the server with uid/gid of the e-mail owner. The vulnerability mainly affects free e-mail providers/mail servers where the user has no shell access to the system.


Description:

The bug in imapd.c code leads to internal buffer overflow.
It may happen when the user ask for fetching partial mailbox
attributes.

request will cause server to SIG11 : A0666 PARTIAL 1
BODY[AAA...1052bytes..AAA] 1 1

imapd.c
-------
int main (int argc,char *argv[])
{
unsigned long i,uid;
long f;
char *s,*t,*u,*v,tmp[MAILTMPLEN];
.
.
.

else if (!strncmp (t,"BODY[",5) && (v = strchr(t+5,']')) &&
!v[1]){
strncpy (tmp,t+5,i = v - (t+5));
.
.
.
else if (!strncmp (t,"BODY.PEEK[",10) &&
(v = strchr (t+10,']')) && !v[1]) {
strncpy (tmp,t+10,i = v - (t+10));
.
.
.
-------

The bug is very similar to the one found in Kerberos4 ftp
client. No bound check prior moving user supplied data.
Since the attacker overwrites the server's main stack,
overflow will occur when the user logs out.





Marcell Fodor
-------------
e-mail: [email protected]
web: http://mantra.freeweb.hu


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »