Bugtraq mailing list archives
Re: response to the bugtraq report of buffer overruns in imapd LIST command
From: kris () FREEBSD ORG (Kris Kennaway)
Date: Mon, 17 Apr 2000 18:30:24 -0700
On Mon, 17 Apr 2000, Mark Crispin wrote:
As was indicated, all privileges are dropped at that point. There is nothing that can be done by crashing imapd this way that can not also be done (much easier) by logging in to the UNIX shell.
This does not seem to be enough: many people run mail systems which don't provide shell access to their mail users - it's a resonable expectation that they won't be able to get shell access to any account by exploiting vulnerabilities in the imap daemon. On the other hand, if you're not convinced this is a safe assumption given the state of the imapd code then you should state so clearly to your users in the product documentation so they know the risk and can make appropriate choices regarding the suitability of the product before installation. In the meantime, I will be adding a warning stating the above to the FreeBSD port of imap-uw so that at least our users know the risks.
If you have a "closed" system (which is the only type of system where this bug matters), a much better solution is to insert the following instruction in routine pw_login() in env_unix.c: if (chroot (home ? home : ANONYMOUSHOME)) chroot ("/tmp");
This is not enough: it still allows users to obtain shell-level access to the machine when they otherwise may not have. It may also be possible to break out of the chroot jail on some platforms.
Another important measure is to use StackGuard. I am very surprised at the implication that RedHat doesn't use StackGuard. Is that really true?
StackGuard doesn't run on non-Linux systems - it's not a solution for the rest of us: the code needs to be audited thoroughly at the source. At the very least you could make a pass over it with something like ITS and replace the potentially dangerous string functions with their bounds-checked alternatives.. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <forsythe () alum mit edu>
Current thread:
- Re: More vulnerabilities in FP, (continued)
- Re: More vulnerabilities in FP The Cyberiad (Apr 19)
- AVM's Statement eAX [Teelicht] (Apr 19)
- Adtran DoS Mike Ireton (Apr 19)
- FreeBSD Security Advisory: FreeBSD-SA-00:13.generic-nqs FreeBSD Security Officer (Apr 19)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Warner Losh (Apr 17)
- pwdump2 for Active Directory Todd Sabin (Apr 18)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Henrik Nordstrom (Apr 18)
- Cooments on the dvwssr.dll vulnerability threads Iván Arce (Apr 17)
- Re: Cooments on the dvwssr.dll vulnerability threads David LeBlanc (Apr 18)
- Last call for extended abstracts - Raid 2000 - Deadline is April 30th Herve Debar (Apr 18)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Kris Kennaway (Apr 17)
- Re: more problems with that POS dansie cart software! Pete Holsberg (Apr 16)
- Re: Back Door in Commercial Shopping Cart Kragen Sitaker (Apr 14)
- Re: Back Door in Commercial Shopping Cart tyson (Apr 14)