Re: SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw

From: Stan Bubrouski (stanat_private)
Date: Sat Jun 01 2002 - 16:12:33 PDT

  • Next message: jj ss: "active x controls that can access the hard disk"

    3APA3A wrote:
    > Original version
    > http://www.security.nnov.ru/advisories/courier.asp
    > 
    > Title:                  Courier CPU exhaustion
    > Author:                 ZARAZA <3APA3Aat_private>
    > Date:                   May, 31 2002
    > Affected:               courier-0.38.1
    > Vendor:                 Double Precision, Inc.
    > Risk:                   Low to average
    > Remote:                 Yes
    > Exploitable:            Yes
    > Vendor notified:        May, 20 2002
    > Product URL:            http://www.courier-mta.org
    > SECURITY.NNOV URL:      http://www.security.nnov.ru
    > Advanced info:          http://www.security.nnov.ru/search/news.asp?binid=2055
    > 
    > Introduction:
    > 
    > Courier is widely used suite of e-mail services written with security in
    > mind.
    > 
    > Problem:
    > 
    > A  loop  with  unchecked  iteration counter controlled by user input may
    > cause  courier  to  freeze  for  over  the minute with 100% CPU usage on
    > single command or message.
    > 
    > Details:
    > 
    > rfc822_parsedt.c:
    > 
    >         unsigned day=0, mon=0, year;
    >         ...
    >         unsigned y;
    >         ...
    >         if (year < 1970)        return (0);
    >         ...
    >         for (y=1970; y<year; y++) ...
    > 
    > year may be any unsigned integer.
    > 
    > 
    > Vendor:
    > 
    >  Sam  Varshavchik  <mrsam@courier-mta.com>  was  contacted  on  May, 20.
    >  Problem was patched in CVS version on the same day.
    >   
    > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    > 
    > Bonus on imap-uw:
    > 
    > Imap-uw allows user to access any file he could access locally. It's not
    > a  bug  it's  insecurity  by design (it was not created with security in
    > mind  ;-). According FAQ from vendor's web site (it's not mentioned in a
    > FAQ inside program distribution):
    > 
    > -=-=-=-=-=-=-
    > 
    > 5.1  I  see  that the IMAP server allows access to arbitary files on the
    > system, including /etc/passwd! How do I disable this?
    
    This issue with uw-imapd has been known about for years and years and 
    years.  I brought this up about two years ago and I noticed others had 
    as well.  Changing one if statement in a source file fixes the behaviour 
    and yes it is a FEATURE not a BUG.  I don't recall the exact location or 
    if statement to change but looking through uw-imapd archives is how I 
    found it out a couple years ago, and I recommend you do the same.
    
    -Stan
    



    This archive was generated by hypermail 2b30 : Sat Jun 01 2002 - 16:37:12 PDT