Re: SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw

From: Stan Bubrouski (stanat_private)
Date: Sat Jun 01 2002 - 16:12:33 PDT

Next message: jj ss: "active x controls that can access the hard disk"

Previous message: T0aD: "Re: BUG in ftp client on *BSD and Solaris system?"
In reply to: 3APA3A: "SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw"
Next in thread: 3APA3A: "SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

3APA3A wrote:
> Original version
> http://www.security.nnov.ru/advisories/courier.asp
> 
> Title:                  Courier CPU exhaustion
> Author:                 ZARAZA <3APA3Aat_private>
> Date:                   May, 31 2002
> Affected:               courier-0.38.1
> Vendor:                 Double Precision, Inc.
> Risk:                   Low to average
> Remote:                 Yes
> Exploitable:            Yes
> Vendor notified:        May, 20 2002
> Product URL:            http://www.courier-mta.org
> SECURITY.NNOV URL:      http://www.security.nnov.ru
> Advanced info:          http://www.security.nnov.ru/search/news.asp?binid=2055
> 
> Introduction:
> 
> Courier is widely used suite of e-mail services written with security in
> mind.
> 
> Problem:
> 
> A  loop  with  unchecked  iteration counter controlled by user input may
> cause  courier  to  freeze  for  over  the minute with 100% CPU usage on
> single command or message.
> 
> Details:
> 
> rfc822_parsedt.c:
> 
>         unsigned day=0, mon=0, year;
>         ...
>         unsigned y;
>         ...
>         if (year < 1970)        return (0);
>         ...
>         for (y=1970; y<year; y++) ...
> 
> year may be any unsigned integer.
> 
> 
> Vendor:
> 
>  Sam  Varshavchik  <mrsam@courier-mta.com>  was  contacted  on  May, 20.
>  Problem was patched in CVS version on the same day.
>   
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> 
> Bonus on imap-uw:
> 
> Imap-uw allows user to access any file he could access locally. It's not
> a  bug  it's  insecurity  by design (it was not created with security in
> mind  ;-). According FAQ from vendor's web site (it's not mentioned in a
> FAQ inside program distribution):
> 
> -=-=-=-=-=-=-
> 
> 5.1  I  see  that the IMAP server allows access to arbitary files on the
> system, including /etc/passwd! How do I disable this?

This issue with uw-imapd has been known about for years and years and 
years.  I brought this up about two years ago and I noticed others had 
as well.  Changing one if statement in a source file fixes the behaviour 
and yes it is a FEATURE not a BUG.  I don't recall the exact location or 
if statement to change but looking through uw-imapd archives is how I 
found it out a couple years ago, and I recommend you do the same.

-Stan

Next message: jj ss: "active x controls that can access the hard disk"
Previous message: T0aD: "Re: BUG in ftp client on *BSD and Solaris system?"
In reply to: 3APA3A: "SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw"
Next in thread: 3APA3A: "SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jun 01 2002 - 16:37:12 PDT