Bugtraq mailing list archives
response to the bugtraq report of buffer overruns in imapd LIST command
From: MRC () CAC WASHINGTON EDU (Mark Crispin)
Date: Mon, 17 Apr 2000 14:17:53 -0700
The recent BUGTRAQ report about a way to cause the LIST command to get a buffer overflow was just forwarded to me. As was indicated, all privileges are dropped at that point. There is nothing that can be done by crashing imapd this way that can not also be done (much easier) by logging in to the UNIX shell. I strongly recommend *against* removing the dummy driver. That driver supports the LIST command (hence the IMAP client's ability to view folders) for all of imapd. All imapd security efforts have been focused on eliminating root-level security holes. To the best of my knowledge, this has been done. If you disagree, I would like very much to see the evidence. There has not been an equivalent effort to eliminate all possible ways to induce imapd or the c-client library to crash when it is in a non-root state. I am not certain that the results would be worth the effort, particularly since there are alternatives, either one of which is sufficient to neutralize the problem: If you have a "closed" system (which is the only type of system where this bug matters), a much better solution is to insert the following instruction in routine pw_login() in env_unix.c: if (chroot (home ? home : ANONYMOUSHOME)) chroot ("/tmp"); I will support a build-time configuration option to do this in imap-2000. Another important measure is to use StackGuard. I am very surprised at the implication that RedHat doesn't use StackGuard. Is that really true?
Current thread:
- XFree86 server overflow, (continued)
- XFree86 server overflow Michal Zalewski (Apr 16)
- XFree86 server overflow - exploit issues Michal Zalewski (Apr 16)
- Reappearance of an old IE security bug Ben Mesander (Apr 16)
- Re: Reappearance of an old IE security bug Vladimir Dubrovin (Apr 17)
- Announcing: Solaris Fingerprint Database (sfpDB) on SunSolve Casper Dik (Apr 17)
- Re: XFree86 server overflow Olaf Kirch (Apr 17)
- Re: XFree86 server overflow Valentin Pavlov (Apr 17)
- Microsoft Security Bulletin (MS00-025) Microsoft Product Security (Apr 17)
- Re: XFree86 server overflow Paweł Sakowski (Apr 17)
- RAZOR Analysis of dvwssr.dll Simple Nomad (Apr 17)
- response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Theo de Raadt (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command R. C. Dowdeswell (Apr 17)
- xfs security issues (fwd) Chris Evans (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- RUS-CERT Advisory 200004-01: GNU Emacs 20 RUS-CERT, University of Stuttgart (Apr 18)
- More vulnerabilities in FP Narrow (Apr 18)
- Re: More vulnerabilities in FP The Cyberiad (Apr 19)
- Re: More vulnerabilities in FP Ron van Daal (Apr 22)
- XFree86 server overflow Michal Zalewski (Apr 16)
- Re: More vulnerabilities in FP The Cyberiad (Apr 19)