Date: Wed, 26 May 1999 20:37:13 +0100 From: Chris Evans To: BUGTRAQ@netspace.org Subject: Remote vulnerability in pop2d Hi Firstly, sorry if any details are hazy - this is from memory (it's two months since I last looked at this). This bug concerns the pop-2 daemon, which is a part of the Washington University imap package. I've been waiting for a CERT advisory, but one doesn't seem to be forthcoming. Two and a half months is a long time. Also, the problem has been fixed for a long time. I'm posting because a) A fixed full release is available, so people should know about it b) The flaw is fairly basic and easy to spot, so active exploitation could well be happening Quick details ============= Compromise possible: remote users can get a shell as user "nobody" If: runing pop-2d v4.4 or earlier Fixed version: imap-4.5, available now. Not vulnerable ============== RedHat-6.0 isn't vulnerable because imap-4.5 was shipped. Vulnerable ========== Anyone who shipped the pop-2 component of imap-4.4 or earlier, including earlier RedHat releases Details of flaw =============== pop-2 and pop-3 support the concept of an "anonymous proxy" whereby remote users can connect and open an imap mailbox on _any server they have a valid account on_. An attacker connects to the vulnerable pop-2 port and connects it to an imap server under their control. Once logged on, issuing a "FOLD" command with a long arg will cause an overflow of a stack based buffer. The arg to FOLD must be somewhere around 1000 bytes - not much bigger, not much smaller. Look at the source. Additional ========== I think the concept of "anonymous proxy" is just fundamentally insecure. It opens up a large code path for remote usrs to explore, i.e. the protocol parsing of imap, etc. The author of imap very responsibly includes a compile time flag to disable this in 4.5. Better still, RedHat-6.0 ships with the proxy disabled. Cheers Chris -------------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- We have received reports that the version of the imap suite in Debian GNU/Linux 2.1 has a vulnerability in its POP-2 daemon, which can be found in the ipopd package. Using this vulnerability it is possible for remote users to get a shell as user "nobody" on the server. We recommend you upgrade your ipopd package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. Debian GNU/Linux 2.1 alias slink - -------------------------------- This version of Debian was released only for Intel, the Motorola 680x0, the alpha and the Sun sparc architecture. Source archives: http://security.debian.org/dists/stable/updates/source/imap_4.5-0slink2.diff.gz MD5 checksum: 606f893869069eee68f4c1e31392af29 http://security.debian.org/dists/stable/updates/source/imap_4.5-0slink2.dsc MD5 checksum: 93ed80a3619586ff9f3246003aca2448 http://security.debian.org/dists/stable/updates/source/imap_4.5.orig.tar.gz MD5 checksum: 59afe4be5fcd17c20d241633a4a3d0ac Sun Sparc architecture: http://security.debian.org/dists/stable/updates/binary-sparc/c-client-dev_4.5-0slink2_sparc.deb MD5 checksum: 2de5363a3ea9f27c1aa064c3102567cc http://security.debian.org/dists/stable/updates/binary-sparc/imap_4.5-0slink2_sparc.deb MD5 checksum: 87638b6ad06094f30ff6d2dddfd10b8b http://security.debian.org/dists/stable/updates/binary-sparc/ipopd_4.5-0slink2_sparc.deb MD5 checksum: aa6621e2f7e2df751489c397e9e169a8 Intel ia32 architecture: http://security.debian.org/dists/stable/updates/binary-i386/c-client-dev_4.5-0slink2_i386.deb MD5 checksum: fd92656c7281a4d8322b6da1285475cd http://security.debian.org/dists/stable/updates/binary-i386/imap_4.5-0slink2_i386.deb MD5 checksum: c92eaece7e431c84708909362afad07d http://security.debian.org/dists/stable/updates/binary-i386/ipopd_4.5-0slink2_i386.deb MD5 checksum: 29685847b0eef8307383a428b1d02be2 Motorola 680x0 architecture: http://security.debian.org/dists/stable/updates/binary-m68k/c-client-dev_4.5-0slink2_m68k.deb MD5 checksum: eeab449299e9f2d3fc97db69110b4432 http://security.debian.org/dists/stable/updates/binary-m68k/imap_4.5-0slink2_m68k.deb MD5 checksum: 4bd0fbaa392b6013f6caa33b04578764 http://security.debian.org/dists/stable/updates/binary-m68k/ipopd_4.5-0slink2_m68k.deb MD5 checksum: d43f502971afc531923903f3ac7b5b3f Alpha architecture: http://security.debian.org/dists/stable/updates/binary-alpha/c-client-dev_4.5-0slink2_alpha.deb MD5 checksum: 6732ae9495ee29590ed85cc482fbda97 http://security.debian.org/dists/stable/updates/binary-alpha/imap_4.5-0slink2_alpha.deb MD5 checksum: d0ee05b972d5d1bc1d066e2bae4d8c8b http://security.debian.org/dists/stable/updates/binary-alpha/ipopd_4.5-0slink2_alpha.deb MD5 checksum: 89c3931092537d0eb23fb50fa57f1bb0 These files will be copied into ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon. Please note you can also use apt to always get the latest security updates. To do so add the following line to /etc/apt/sources.list: deb http://security.debian.org/ stable updates - -- Debian GNU/Linux . Security Managers . security@debian.org debian-security-announce@lists.debian.org Christian Hudon . Wichert Akkerman . Martin Schulze . . -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQB1AwUBN1sKgajZR/ntlUftAQGqlgL/d+dzjkxSf0bVDuFmWmeMgH9UxhpJXAwV 0EAtFEY7oRyNpiRLHojnJ48sPviIetVsojHsz9w4uh787skIUJYdFTJN+/O+kxLq TeF2k+ESbtLJav5QCnVrR7CfiIhYMLgx =Z3ew -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org -------------------------------------------------------------------------------- Date: Thu, 10 Jun 1999 20:33:11 +0200 From: Raymond Dijkxhoorn To: BUGTRAQ@netspace.org Subject: imap errata (fwd) >From: Jeff Johnson This is a security errata for the imap package that corrects a known ipop2d exploit in Red Hat 4.x and Red Hat 5.x. A more complete description of current problems with imap may be found at http://developer.redhat.com/bugzilla by querying the imap component. Bug #3161 is the report of ipop2d exploit. Users of Red Hat Linux 4.x and 5.x should upgrade to the new version of imap in order to correct this security problem. Red Hat Linux 4.x: ------------------ On alpha: rpm -Uvh ftp://updates.redhat.com/4.2/alpha/imap-4.5-0.4.2.alpha.rpm On i386: rpm -Uvh ftp://updates.redhat.com/4.2/i386/imap-4.5-0.4.2.i386.rpm On sparc: rpm -Uvh ftp://updates.redhat.com/4.2/sparc/imap-4.5-0.4.2.sparc.rpm The source is available at ftp://updates.redhat.com/4.2/SRPMS/imap-4.5-0.4.2.src.rpm Red Hat Linux 5.x: ------------------ On alpha: rpm -Uvh ftp://updates.redhat.com/5.2/alpha/imap-4.5-0.5.2.alpha.rpm On i386: rpm -Uvh ftp://updates.redhat.com/5.2/i386/imap-4.5-0.5.2.i386.rpm On sparc: rpm -Uvh ftp://updates.redhat.com/5.2/sparc/imap-4.5-0.5.2.sparc.rpm The source is available at ftp://updates.redhat.com/5.2/SRPMS/imap-4.5-0.5.2.src.rpm These packages have all been PGP signed by Red Hat for security. -- Jeff Johnson ARS N3NPQ jbj@redhat.com (jbj@jbj.org) Chapel Hill, NC -- To unsubscribe: mail redhat-watch-list-request@redhat.com with "unsubscribe" as the Subject. -- To unsubscribe: mail -s unsubscribe redhat-announce-list-request@redhat.com < /dev/null