COMMAND
imap, ipop2d, ipop3d
SYSTEMS AFFECTED
Berkeley Software Design, Inc. (BSDI)
Linux Systems (RedHat)
Possibly others
This vulnerability affects all versions of imapd prior to
v10.165, all versions of ipop2d prior to 2.3(32), and all
versions of ipop3d prior to 3.3(27)
PROBLEM
The following text is based on CERT advisoty and it is their
copyright as parts have of it has used here.
The current version of Internet Message Access Protocol (IMAP)
supports both online and offline operation, permitting
manipulation of remote message folders. It provides access to
multiple mailboxes (possibly on multiple servers), and supports
nested mailboxes as well as resynchronization with the server.
The current version also provides a user with the ability to
create, delete, and rename mailboxes. Additional details
concerning the functionality of IMAP can be found in RFC 2060
(the IMAP4rev1 specification) available from
http://ds.internic.net/rfc/rfc2060.txt
The Post Office Protocol (POP) was designed to support offline
mail processing. That is, the client connects to the server to
download mail that the server is holding for the client. The mail
is deleted from the server and is handled offline (locally) on
the client machine.
In both protocols, the server must run with root privileges so it
can access mail folders and undertake some file manipulation on
behalf of the user logging in. After login, these privileges are
discarded. However, a vulnerability exists in the way the login
transaction is handled, and this can be exploited to gain
privileged access on the server. By preparing carefully crafted
text to a system running a vulnerable version of these servers,
remote users may be able to cause a buffer overflow and execute
arbitrary instructions with root privileges.
Remote users can obtain root access on systems running a
vulnerable IMAP or POP server. They do not need access to an
account on the system to do this.
SOLUTION
Install a patch from your vendor or upgrade to the latest version
of IMAP. If your POP server is based on the University of
Washington IMAP server code, you should also upgrade to the
latest version of IMAP. Until you can take one of these actions,
you should disable services.
Since CERT took up the information in the Secure Networks advisory
imap.advisory.04.02.97 (see #1 on these page), as part of CA
97.09, they neglected to repeat the section which explicitly
mentions that the Qualcomm Popper, and other POP servers not
derived from the University of Washington POP server are not
vulnerable. The consequences have ranged from queries via email
to administrators of large networks completely disabling POP,
even though they are not running vulnerable POP servers.
Although virtually all IMAP servers are affected, almost no POP
servers are. None of the Qualcomm, University of California at
Berkeley, or University of California at Davis POP servers are
vulnerable, and those three seem to be by far the most widely
deployed POP servers. Administrators are urged NOT to panic, and
blindly disable POP service for their users, but to issue the
command:
telnet mail.server.machine 110
and look at the version string they see. There is no reason
whatsoever to disable POP service unless they see some mention of
the University of Washington, as in:
+OK testing.secnet.com POP3 3.3(20) w/IMAP2 client (Comments to
MRC@CAC.Washington.EDU) at Wed, 9 Apr 1997 15:20:15 -0x00 (MDT)
Then you can panic.
An alternative to installing vendor patches is upgrading to
IMAP4rev1, which is available from:
ftp://ftp.cac.washington.edu/mail/imap.tar.Z
If you are unable for actions mentioned before, at least install
tcp_wrapper. The tcp_wrappers tool is available in:
ftp://info.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.5.tar.gz
The IMAP servers included with all versions of Red Hat Linux have
a buffer overrun which allow *remote* users to gain root access on
systems which run them. A fix for Red Hat 4.1 is now available.
Users of Red Hat 4.0 should apply the Red Hat 4.1 fix. Users of
previous releases of Red Hat Linux are strongly encouraged to
upgrade or simply not run imap. You can remove imap from any
machine running with Red Hat Linux 2.0 or later by running the
command "rpm -e imap", rendering them immune to this problem.
All of the new packages are PGP signed with Red Hat's PGP key,
and may be obtained from ftp.redhat.com:/updates/4.1.
This vulnerability has been detected in the University of
Washington c-client library used in the UW IMAP and POP servers.
It is recommended that all sites using these servers upgrade to
the latest versions, available in the UW IMAP toolkit:
ftp://ftp.cac.washington.edu/mail/imap.tar.Z
This is a source distribution which includes imapd, ipop2d,
ipop3d. and the c-client library. The IMAP server in this
distribution conforms with RFC2060 (the IMAP4rev1 specification).
Sites which are not yet prepared to upgrade from IMAP2bis to IMAP4
service may obtain a corrected IMAP2bis server as part of the
latest (3.96) UW Pine distribution, available at:
ftp://ftp.cac.washington.edu/pine/pine.tar.Z