Re: imapd4r1 v12.264

[s.carstens () GMX DE (Sven Carstens)]

Am So, 16 Apr 2000 schrieb Michal Zalewski <lcamtuf () DIONE IDS PL>:
> Newest RH:
>
> * OK nimue IMAP4rev1 v12.264 server ready

This is the imap-4.7 package from the University of Washington.

> 1 login lcamtuf test
> 1 OK LOGIN completed
> 1 list "" AAAAAAAAAAAAAAAAAAAAAAAAAAA...[yes, a lot of 'A's ;] 
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()

To segfault the number of A´s has to in the range 1023 < #A > 8180.
If the command line including CR/LF is longer than 8192 an error message is
displayed.

The segfaults are in the nntp, mh, news and dummy driver.
In all modules the subroutine <name>_canonicalize will happily strcpy and
strcat the user supplied arguments to fixed size buffers with normally
MAILTMPLEN = 1024 bytes.

Quick work around: 
- remove these modules (if you don´t require them) from the linkage list

To do this change imapd.c around line 247
remove this line:

#include "linkage.c"

and manually add the drivers and authenticators you need:
  mail_link (&mboxdriver);              /* link in the mbox driver */
  mail_link (&imapdriver);              /* link in the imap driver */
/*  mail_link (&nntpdriver);            /* link in the nntp driver */
  mail_link (&pop3driver);              /* link in the pop3 driver */
/*  mail_link (&mhdriver);              /* link in the mh driver */
  mail_link (&mxdriver);                /* link in the mx driver */
  mail_link (&mbxdriver);               /* link in the mbx driver */
  mail_link (&tenexdriver);             /* link in the tenex driver */
  mail_link (&mtxdriver);               /* link in the mtx driver */
  mail_link (&mmdfdriver);              /* link in the mmdf driver */
  mail_link (&unixdriver);              /* link in the unix driver */
/*  mail_link (&newsdriver);            /* link in the news driver */
  mail_link (&philedriver);             /* link in the phile driver */
/*  mail_link (&dummydriver);           /* link in the dummy driver */
  auth_link (&auth_md5);                /* link in the md5 authenticator */
  auth_link (&auth_log);                /* link in the log authenticator */

This list is taken from my default install. If might have extra
authenticators in your configuration. See the file
imap-4.7/c-client/linkage.c
for the drivers of your choice.

It might also be wise to remove all unneede drivers from the list to gain
speed/security.

There are shure as hell a lot more careless strcpy´s inside this code.

BTW: Looking for another library for mail folder access!

> *sigh*
>
> Privledges seems to be dropped, but, anyway, it's nice way to get shell
> access to mail account, maybe grab some data from memory etc. I believe
> both imap and ipopd packages need code security audit.

The security audit is really needed for all of the drivers in the c-client.
(Anyone cares for a Y2K bug in this ?)

CU Sven