Bugtraq mailing list archives
Re: imapd4r1 v12.264
From: s.carstens () GMX DE (Sven Carstens)
Date: Mon, 17 Apr 2000 15:04:41 +0200
Am So, 16 Apr 2000 schrieb Michal Zalewski <lcamtuf () DIONE IDS PL>:
Newest RH: * OK nimue IMAP4rev1 v12.264 server ready
This is the imap-4.7 package from the University of Washington.
1 login lcamtuf test 1 OK LOGIN completed 1 list "" AAAAAAAAAAAAAAAAAAAAAAAAAAA...[yes, a lot of 'A's ;] Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? ()
To segfault the number of A´s has to in the range 1023 < #A > 8180. If the command line including CR/LF is longer than 8192 an error message is displayed. The segfaults are in the nntp, mh, news and dummy driver. In all modules the subroutine <name>_canonicalize will happily strcpy and strcat the user supplied arguments to fixed size buffers with normally MAILTMPLEN = 1024 bytes. Quick work around: - remove these modules (if you don´t require them) from the linkage list To do this change imapd.c around line 247 remove this line: #include "linkage.c" and manually add the drivers and authenticators you need: mail_link (&mboxdriver); /* link in the mbox driver */ mail_link (&imapdriver); /* link in the imap driver */ /* mail_link (&nntpdriver); /* link in the nntp driver */ mail_link (&pop3driver); /* link in the pop3 driver */ /* mail_link (&mhdriver); /* link in the mh driver */ mail_link (&mxdriver); /* link in the mx driver */ mail_link (&mbxdriver); /* link in the mbx driver */ mail_link (&tenexdriver); /* link in the tenex driver */ mail_link (&mtxdriver); /* link in the mtx driver */ mail_link (&mmdfdriver); /* link in the mmdf driver */ mail_link (&unixdriver); /* link in the unix driver */ /* mail_link (&newsdriver); /* link in the news driver */ mail_link (&philedriver); /* link in the phile driver */ /* mail_link (&dummydriver); /* link in the dummy driver */ auth_link (&auth_md5); /* link in the md5 authenticator */ auth_link (&auth_log); /* link in the log authenticator */ This list is taken from my default install. If might have extra authenticators in your configuration. See the file imap-4.7/c-client/linkage.c for the drivers of your choice. It might also be wise to remove all unneede drivers from the list to gain speed/security. There are shure as hell a lot more careless strcpy´s inside this code. BTW: Looking for another library for mail folder access!
*sigh* Privledges seems to be dropped, but, anyway, it's nice way to get shell access to mail account, maybe grab some data from memory etc. I believe both imap and ipopd packages need code security audit.
The security audit is really needed for all of the drivers in the c-client. (Anyone cares for a Y2K bug in this ?) CU Sven
Current thread:
- imapd4r1 v12.264 Michal Zalewski (Apr 16)
- Re: imapd4r1 v12.264 Tibor Pittich (Apr 17)
- Re: imapd4r1 v12.264 Sven Carstens (Apr 17)