Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: unix5342.htm

Wu-imapd remote buffer overflow



13th May 2002 [SBWID-5342]
COMMAND

	Wu-imapd remote buffer overflow

SYSTEMS AFFECTED

	 WU-IMAP 2000.283 default install

	 WU-IMAP 2000.284 default install

	 WU-IMAP 2000.287 default install

	 WU-IMAP 2001.315 compiled with RFC 1730 support

	

PROBLEM

	Marcell Fodor [http://mantra.freeweb.hu] says :
	

	A bug in imapd.c code leads to internal buffer overflow. It  may  happen
	when the user ask for fetching partial mailbox attributes.
	

	request will cause server to SIG11  :
	

	A0666 PARTIAL 1

	BODY[AAA...1052bytes..AAA] 1 1

	

	

	Affected code :
	

	imapd.c

	-------

	int main (int argc,char *argv[])

	{

	  unsigned long i,uid;

	  long f;

	  char *s,*t,*u,*v,tmp[MAILTMPLEN];

	.

	.

	.

	

	else if (!strncmp (t,\"BODY[\",5) && (v = strchr(t+5,\']\')) &&

	!v[1]){

	          strncpy (tmp,t+5,i = v - (t+5));

	.

	.

	.

	else if (!strncmp (t,\"BODY.PEEK[\",10) &&

	             (v = strchr (t+10,\']\')) && !v[1]) {

	          strncpy (tmp,t+10,i = v - (t+10));

	.

	.

	.

	-------

	

	The bug is very similar to the one found in  Kerberos4  ftp  client.  No
	bound  check  prior  moving  user  supplied  data.  Since  the  attacker
	overwrites the server\'s main stack, overflow will occur when  the  user
	logs out.

SOLUTION

	Patch for the problem:
	

	556,557c556,558

	< 	    else if (!strncmp (t,\"BODY[\",5) && (v = strchr(t+5,\']\')) && !v[1]){

	< 	      strncpy (tmp,t+5,i = v - (t+5));

	---

	> 	    else if (!strncmp (t,\"BODY[\",5) && (v = strchr(t+5,\']\')) &&

	> 		     !v[1] && ((i = v - (t+5)) < MAILTMPLEN)){

	> 	      strncpy (tmp,t+5,i);

	563,564c564,566

	< 		     (v = strchr (t+10,\']\')) && !v[1]) {

	< 	      strncpy (tmp,t+10,i = v - (t+10));

	---

	> 		     (v = strchr (t+10,\']\')) && !v[1] &&

	> 		     ((i = v - (t+10)) < MAILTMPLEN)) {

	> 	      strncpy (tmp,t+10,i);

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH