exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

wu-imap-overflow.txt

wu-imap-overflow.txt
Posted May 13, 2002
Authored by Marcell Fodor | Site mantra.freeweb.hu

A buffer overflow vulnerability has been found in the WU-IMAP daemon and can be used to remotely execute code via malformed requests. An account is necessary to exploit this overflow.

tags | overflow, imap
SHA-256 | 4eab3d4451f2286911c7ccb083a73a3343426075027dd2069efebe1bf2bfc3c9

wu-imap-overflow.txt

Change Mirror Download

('binary' encoding is not supported, stored as-is) 10.05.2002
SECURITY BUG REPORT


Affected version:

* WU-IMAP 2000.283 default install
* WU-IMAP 2000.284 default install
* WU-IMAP 2000.287 default install
* WU-IMAP 2001.315 compiled with RFC 1730 support

Overview:

Wu-imapd is an easy to set-up IMAP daemon created and
distributed by Washington University. Malicious user is able
to construct a malformed request which will overflow an
internal buffer, and run code on the server with uid/gid of
the e-mail owner. The vulnerability mainly affects free
e-mail providers/mail servers where the user has no shell
access to the system.

Description:

The bug in imapd.c code leads to internal buffer overflow.
It may happen when the user ask for fetching partial mailbox
attributes.

request will cause server to SIG11 : A0666 PARTIAL 1
BODY[AAA...1052bytes..AAA] 1 1

imapd.c
-------
int main (int argc,char *argv[])
{
unsigned long i,uid;
long f;
char *s,*t,*u,*v,tmp[MAILTMPLEN];
.
.
.

else if (!strncmp (t,"BODY[",5) && (v = strchr(t+5,']')) &&
!v[1]){
strncpy (tmp,t+5,i = v - (t+5));
.
.
.
else if (!strncmp (t,"BODY.PEEK[",10) &&
(v = strchr (t+10,']')) && !v[1]) {
strncpy (tmp,t+10,i = v - (t+10));
.
.
.
-------

The bug is very similar to the one found in Kerberos4 ftp
client. No bound check prior moving user supplied data.
Since the attacker overwrites the server's main stack,
overflow will occur when the user logs out.





Marcell Fodor
-------------
e-mail: m.fodor@mail.datanet.hu
web: https://mantra.freeweb.hu
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close