Date: Wed, 26 May 1999 20:37:13 +0100
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
To: BUGTRAQ@netspace.org
Subject: Remote vulnerability in pop2d

Hi

Firstly, sorry if any details are hazy - this is from memory (it's two
months since I last looked at this). This bug concerns the pop-2 daemon,
which is a part of the Washington University imap package.

I've been waiting for a CERT advisory, but one doesn't seem to be
forthcoming. Two and a half months is a long time. Also, the problem has
been fixed for a long time. I'm posting because

a) A fixed full release is available, so people should know about it
b) The flaw is fairly basic and easy to spot, so active exploitation could
well be happening

Quick details
=============

Compromise possible:  remote users can get a shell as user "nobody"
If:                   runing pop-2d v4.4 or earlier

Fixed version:        imap-4.5, available now.


Not vulnerable
==============
RedHat-6.0 isn't vulnerable because imap-4.5 was shipped.

Vulnerable
==========

Anyone who shipped the pop-2 component of imap-4.4 or earlier, including
earlier RedHat releases


Details of flaw
===============

pop-2 and pop-3 support the concept of an "anonymous proxy" whereby remote
users can connect and open an imap mailbox on _any server they have a
valid account on_. An attacker connects to the vulnerable pop-2 port and
connects it to an imap server under their control. Once logged on, issuing
a "FOLD" command with a long arg will cause an overflow of a stack based
buffer.

The arg to FOLD must be somewhere around 1000 bytes - not much bigger, not
much smaller. Look at the source.

Additional
==========

I think the concept of "anonymous proxy" is just fundamentally insecure.
It opens up a large code path for remote usrs to explore, i.e. the
protocol parsing of imap, etc.

The author of imap very responsibly includes a compile time flag to
disable this in 4.5.

Better still, RedHat-6.0 ships with the proxy disabled.


Cheers
Chris

--------------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

We have received reports that the version of the imap suite
in Debian GNU/Linux 2.1 has a vulnerability in its POP-2 daemon,
which can be found in the ipopd package. Using this vulnerability
it is possible for remote users to get a shell as user "nobody"
on the server.

We recommend you upgrade your ipopd package immediately.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

Debian GNU/Linux 2.1 alias slink
- --------------------------------

  This version of Debian was released only for Intel, the Motorola
  680x0, the alpha and the Sun sparc architecture.

  Source archives:
    http://security.debian.org/dists/stable/updates/source/imap_4.5-0slink2.diff.gz
      MD5 checksum: 606f893869069eee68f4c1e31392af29
    http://security.debian.org/dists/stable/updates/source/imap_4.5-0slink2.dsc
      MD5 checksum: 93ed80a3619586ff9f3246003aca2448
    http://security.debian.org/dists/stable/updates/source/imap_4.5.orig.tar.gz
      MD5 checksum: 59afe4be5fcd17c20d241633a4a3d0ac

  Sun Sparc architecture:
    http://security.debian.org/dists/stable/updates/binary-sparc/c-client-dev_4.5-0slink2_sparc.deb
      MD5 checksum: 2de5363a3ea9f27c1aa064c3102567cc
    http://security.debian.org/dists/stable/updates/binary-sparc/imap_4.5-0slink2_sparc.deb
      MD5 checksum: 87638b6ad06094f30ff6d2dddfd10b8b
    http://security.debian.org/dists/stable/updates/binary-sparc/ipopd_4.5-0slink2_sparc.deb
      MD5 checksum: aa6621e2f7e2df751489c397e9e169a8

  Intel ia32 architecture:
    http://security.debian.org/dists/stable/updates/binary-i386/c-client-dev_4.5-0slink2_i386.deb
      MD5 checksum: fd92656c7281a4d8322b6da1285475cd
    http://security.debian.org/dists/stable/updates/binary-i386/imap_4.5-0slink2_i386.deb
      MD5 checksum: c92eaece7e431c84708909362afad07d
    http://security.debian.org/dists/stable/updates/binary-i386/ipopd_4.5-0slink2_i386.deb
      MD5 checksum: 29685847b0eef8307383a428b1d02be2

  Motorola 680x0 architecture:
    http://security.debian.org/dists/stable/updates/binary-m68k/c-client-dev_4.5-0slink2_m68k.deb
      MD5 checksum: eeab449299e9f2d3fc97db69110b4432
    http://security.debian.org/dists/stable/updates/binary-m68k/imap_4.5-0slink2_m68k.deb
      MD5 checksum: 4bd0fbaa392b6013f6caa33b04578764
    http://security.debian.org/dists/stable/updates/binary-m68k/ipopd_4.5-0slink2_m68k.deb
      MD5 checksum: d43f502971afc531923903f3ac7b5b3f

  Alpha architecture:
    http://security.debian.org/dists/stable/updates/binary-alpha/c-client-dev_4.5-0slink2_alpha.deb
      MD5 checksum: 6732ae9495ee29590ed85cc482fbda97
    http://security.debian.org/dists/stable/updates/binary-alpha/imap_4.5-0slink2_alpha.deb
      MD5 checksum: d0ee05b972d5d1bc1d066e2bae4d8c8b
    http://security.debian.org/dists/stable/updates/binary-alpha/ipopd_4.5-0slink2_alpha.deb
      MD5 checksum: 89c3931092537d0eb23fb50fa57f1bb0


  These files will be copied into
  ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon.

Please note you can also use apt to always get the latest security
updates. To do so add the following line to /etc/apt/sources.list:

  deb http://security.debian.org/ stable updates


- --
Debian GNU/Linux      .    Security Managers     .   security@debian.org
              debian-security-announce@lists.debian.org
  Christian Hudon     .     Wichert Akkerman     .     Martin Schulze
<chrish@debian.org>   .   <wakkerma@debian.org>  .   <joey@debian.org>

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBN1sKgajZR/ntlUftAQGqlgL/d+dzjkxSf0bVDuFmWmeMgH9UxhpJXAwV
0EAtFEY7oRyNpiRLHojnJ48sPviIetVsojHsz9w4uh787skIUJYdFTJN+/O+kxLq
TeF2k+ESbtLJav5QCnVrR7CfiIhYMLgx
=Z3ew
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

--------------------------------------------------------------------------------

Date: Thu, 10 Jun 1999 20:33:11 +0200
From: Raymond Dijkxhoorn <raymond@THRIJSWIJK.NL>
To: BUGTRAQ@netspace.org
Subject: imap errata (fwd)

>From: Jeff Johnson <jbj@redhat.com>

This is a security errata for the imap package that corrects a known
ipop2d exploit in Red Hat 4.x and Red Hat 5.x.

A more complete description of current problems with imap may be found at
        http://developer.redhat.com/bugzilla
by querying the imap component. Bug #3161 is the report of ipop2d exploit.

Users of Red Hat Linux 4.x and 5.x should upgrade to the new version of imap
in order to correct this security problem.

Red Hat Linux 4.x:
------------------
On alpha:
        rpm -Uvh ftp://updates.redhat.com/4.2/alpha/imap-4.5-0.4.2.alpha.rpm
On i386:
        rpm -Uvh ftp://updates.redhat.com/4.2/i386/imap-4.5-0.4.2.i386.rpm
On sparc:
        rpm -Uvh ftp://updates.redhat.com/4.2/sparc/imap-4.5-0.4.2.sparc.rpm
The source is available at
        ftp://updates.redhat.com/4.2/SRPMS/imap-4.5-0.4.2.src.rpm

Red Hat Linux 5.x:
------------------
On alpha:
        rpm -Uvh ftp://updates.redhat.com/5.2/alpha/imap-4.5-0.5.2.alpha.rpm
On i386:
        rpm -Uvh ftp://updates.redhat.com/5.2/i386/imap-4.5-0.5.2.i386.rpm
On sparc:
        rpm -Uvh ftp://updates.redhat.com/5.2/sparc/imap-4.5-0.5.2.sparc.rpm
The source is available at
        ftp://updates.redhat.com/5.2/SRPMS/imap-4.5-0.5.2.src.rpm

These packages have all been PGP signed by Red Hat for security.
--
Jeff Johnson    ARS N3NPQ
jbj@redhat.com (jbj@jbj.org)
Chapel Hill, NC



--
         To unsubscribe: mail redhat-watch-list-request@redhat.com with
                       "unsubscribe" as the Subject.

--
To unsubscribe:
mail -s unsubscribe redhat-announce-list-request@redhat.com < /dev/null