Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps N-Z :: m-085.txt

University Washington Imapd Buffer Overflow Vulnerability (CIAC M-085)





             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

          University of Washington Imapd Buffer Overflow Vulnerability
                      [Red Hat Advisory RHSA-2002:092-11]

June 3, 2002 21:00 GMT                                            Number M-085
______________________________________________________________________________
PROBLEM:       A buffer overflow exists in the University of Washington imap
               daemon version 2000c and previous releases.
PLATFORM:      UW wu-imapd 2000c and previous:
               HP Secure OS software
               for Linux 1.0 RedHat Linux 6.2 alpha, i386, sparc RedHat Linux
               7.0 alpha, i386 RedHat Linux 7.1 alpha, i386, ia64 RedHat Linux
               7.2 i386, ia64
DAMAGE:        Successful exploit of this vulnerability can enable an
               authenticated user to execute arbitrary commands within their
               UID/GID privileges, ranging from unauthorized file access up to
               including root depending on user privileges.
SOLUTION:      Apply the patches described below.
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. Exploiting this vulnerability requires a
ASSESSMENT:    legitimate account on the system and results in potential
               unauthorized execution of commands, depending on the user's
               privileges. This is remotely exploitable, but requires a
               legitimate account.
______________________________________________________________________________
LINKS:
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-085.shtml
 ORIGINAL BULLETIN:  http://rhn.redhat.com/errata/RHSA-2002-092.html
 OTHER LINKS:        HP Advisory: http://online.securityfocus.com/advisories/4167
______________________________________________________________________________

[***** Start Red Hat Advisory RHSA-2002:092-11 *****]

---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          Buffer overflow in UW imap daemon
Advisory ID:       RHSA-2002:092-11
Issue date:        2002-05-16
Updated on:        2002-05-22
Product:           Red Hat Linux
Keywords:          UW imap buffer overflow wu-imap uw-imap
Cross references:
Obsoletes:         RHBA-2001:120
CVE Names:         CAN-2002-0379
---------------------------------------------------------------------

1. Topic:

The UW imap daemon contains a buffer overflow which allows a
logged in, remote user to execute commands on the server
with the user's UID/GID.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - alpha, i386, sparc

Red Hat Linux 7.0 - alpha, i386

Red Hat Linux 7.1 - alpha, i386, ia64

Red Hat Linux 7.2 - i386, ia64

3. Problem description:

UW imapd is an IMAP daemon from the University of Washington.  Version
2000c and previous versions have a bug that allows a malicious user to
construct a malformed request which overflows an internal buffer, enabling
that user to execute commands on the server with the user's UID/GID.

To exploit this problem the user has to have successfully authenticated to
the imapd service.  Therefore, this vulnerability mainly affects free email
providers or mail servers where the user has no shell access to the system.
On other systems, in which the user already has shell access, users can
already run commands under their own UIDs/GIDs.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0379 to this issue.

Users of imapd are advised to upgrade to these errata packages containing
version 2001a of imapd. They are not vulnerable to this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):



6. RPMs required:

Red Hat Linux 6.2:

SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/imap-2001a-1.62.0.src.rpm

alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/imap-2001a-1.62.0.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/imap-devel-2001a-1.62.0.alpha.rpm

i386:
ftp://updates.redhat.com/6.2/en/os/i386/imap-2001a-1.62.0.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/imap-devel-2001a-1.62.0.i386.rpm

sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/imap-2001a-1.62.0.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/imap-devel-2001a-1.62.0.sparc.rpm

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/imap-2001a-1.70.0.src.rpm

alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/imap-2001a-1.70.0.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/imap-devel-2001a-1.70.0.alpha.rpm

i386:
ftp://updates.redhat.com/7.0/en/os/i386/imap-2001a-1.70.0.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/imap-devel-2001a-1.70.0.i386.rpm

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/imap-2001a-1.71.0.src.rpm

alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/imap-2001a-1.71.0.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/imap-devel-2001a-1.71.0.alpha.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/imap-2001a-1.71.0.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/imap-devel-2001a-1.71.0.i386.rpm

ia64:
ftp://updates.redhat.com/7.1/en/os/ia64/imap-2001a-1.71.0.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/imap-devel-2001a-1.71.0.ia64.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/imap-2001a-1.72.0.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/imap-2001a-1.72.0.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/imap-devel-2001a-1.72.0.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/imap-2001a-1.72.0.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/imap-devel-2001a-1.72.0.ia64.rpm



7. Verification:

MD5 sum                          Package Name
--------------------------------------------------------------------------
ec7794a80981a579ded00e27a416e9e2 6.2/en/os/SRPMS/imap-2001a-1.62.0.src.rpm
98c89c190f6276474917b51112d43b60 6.2/en/os/alpha/imap-2001a-1.62.0.alpha.rpm
62e846b2c6dbe71ecd64063a8ddef179 6.2/en/os/alpha/imap-devel-2001a-1.62.0.alpha.rpm
105073a5d5d9cca998c16c4784432612 6.2/en/os/i386/imap-2001a-1.62.0.i386.rpm
18307141223c8214a996fc779fc4b30f 6.2/en/os/i386/imap-devel-2001a-1.62.0.i386.rpm
c11e86178eac2def6c7f2680d72d4362 6.2/en/os/sparc/imap-2001a-1.62.0.sparc.rpm
0e82318b401d12f641e74afaac29b26a 6.2/en/os/sparc/imap-devel-2001a-1.62.0.sparc.rpm
c99646d934c056062269927d68c083cb 7.0/en/os/SRPMS/imap-2001a-1.70.0.src.rpm
c1a44a312e0ff6ddce84ab9fce8661ce 7.0/en/os/alpha/imap-2001a-1.70.0.alpha.rpm
01240d7f239848f76671135932745480 7.0/en/os/alpha/imap-devel-2001a-1.70.0.alpha.rpm
6f775661a7cf3320fed6954bb6fc5319 7.0/en/os/i386/imap-2001a-1.70.0.i386.rpm
e3ee6086addf447fc7cdf257f0489d1a 7.0/en/os/i386/imap-devel-2001a-1.70.0.i386.rpm
924b63ae2c8029355a08b3001d59cbb5 7.1/en/os/SRPMS/imap-2001a-1.71.0.src.rpm
e3acdfb3224d30c75e9971655de7a4e1 7.1/en/os/alpha/imap-2001a-1.71.0.alpha.rpm
9b2e89d31f7bcbb95c674972d64e8813 7.1/en/os/alpha/imap-devel-2001a-1.71.0.alpha.rpm
dd5d21b6e461813bdeddc16a6b41b285 7.1/en/os/i386/imap-2001a-1.71.0.i386.rpm
2d3140dfe10396bd20d04bd79b57f647 7.1/en/os/i386/imap-devel-2001a-1.71.0.i386.rpm
5649a1d3c1d8d950c5a0272ba65faec5 7.1/en/os/ia64/imap-2001a-1.71.0.ia64.rpm
7232061442f47e063a193d8982d12f52 7.1/en/os/ia64/imap-devel-2001a-1.71.0.ia64.rpm
ee249743bacd07adf36b355c78066f73 7.2/en/os/SRPMS/imap-2001a-1.72.0.src.rpm
d2d9a10cb6c8faed062da4f21d8fb7e5 7.2/en/os/i386/imap-2001a-1.72.0.i386.rpm
21feec5a469ff71e706173199ffc3856 7.2/en/os/i386/imap-devel-2001a-1.72.0.i386.rpm
0247d2d090596fe2b892dd6768036d7c 7.2/en/os/ia64/imap-2001a-1.72.0.ia64.rpm
456511a67ebda4e8a73af782388a97ab 7.2/en/os/ia64/imap-devel-2001a-1.72.0.ia64.rpm


These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/about/contact/pgpkey.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

8. References:

http://marc.theaimsgroup.com/?l=bugtraq&m=102107222100529
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0379


Copyright(c) 2000, 2001, 2002 Red Hat, Inc. 


[***** End Red Hat Advisory RHSA-2002:092-11 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Red Hat, Inc. for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-075: HP Security Vulnerability in MPE/iX FTPSRVR
M-076: SGI IRIX nsd symlink Vulnerability
M-077: SGI IRIX Xlib Vulnerability
M-078: Sun Heap Overflow in Cachefs Daemon (cachefsd)
M-079: Format String Vulnerability in ISC DHCPD
M-080: SGI IRIX fsr_xfs Vulnerability
M-081: SSHD "AllowedAuthentications" Vulnerability
M-082: Microsoft Cumulative Patch for Internet Explorer
M-083: Microsoft Authentication Flaw in Windows Debugger
M-084: Red Hat "pam_ldap" Vulnerability



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH