Bug 21268

Description Daniel Ahlberg (RETIRED) 2003-05-19 14:31:26 UTC

Buffer overflows in multiple IMAP clients 
 
From:  
Timo Sirainen <tss@iki.fi> 
 
 
To:  
bugtraq@securityfocus.com 
 
 
Date:  
Wednesday 20.49.20 
 
 
There's two common vulnerabilities in IMAP clients written with C and C++: 
 
1. Handling huge literal sizes. Many clients do malloc(literal_size+1) and 
then read the literal into it. Problem is that if literal_size is 
UINT_MAX-1, the +1 overflows it into malloc(0) but server is still allowed 
to write UINT_MAX-1 bytes of data there. There may also be similiar 
problems if literal size is read into signed integer which causes it to 
become negative. Some clients use atoi(), so giving -1 as literal size is 
equilevant to giving UINT_MAX-1. 
 
IMAP servers can also be vulnerable to this one if they're not careful. 
 
2. Handling huge mailbox sizes (ie. huge value in EXISTS reply). Many 
clients do malloc(messages_count * sizeof(struct message)) and read data 
into it. 
 
 
Exploiting 
---------- 
 
Exploiting these requires that client connects to malicious IMAP server. 
Some social engineering (eg. anonymous IMAP access for mailing lists, 
announcing "free" IMAP servers, etc.) or man-in-the-middle techniques 
should do it. 
 
Using SSL/TLS could prevent MitM, but STARTTLS might not be enough since 
client could have already parsed malicious data before beginning the TLS 
negotiation. 
 
UW-imapd can also act as IMAP client, allowing user to connect to specified 
server. It is disabled for anonymous users, but allowed for everyone else 
(even with closedBox, blackBox or restrictBox enabled). So exploiting it 
could give you access to the system as the logged in user. 
 
 
Vulnerabile clients 
------------------- 
 
crash: Just crashes because it tries to memcpy() >2GB of data 
limited: Values that can be written past buffer are limited 
full: Anything can be written past buffer 
 
          |   1     |     2      | 
--------------------------------------------------------------------- 
c-client  | crash   | full       | Pine, UW-imapd 
Evolution | full    | -          | 
kmail     | -       | -          | Nothing obvious at least 
Mozilla   | full    | - (1)      | 
mutt      | -       | limited(2) | Balsa also includes mutt's IMAP code 
Sylpheed  | crash   | -          | 
OE6       | crash(3)| -          | 
Eudora    | full    | -          | "..0x41414141 .. could not be written" 
 
1) *Maybe* with 64bit systems after you have already sent about 1 billion 
messages to Mozilla. 
 
2) Allows writing pointers to malloc()ed data. Maybe also sequentially 
growing numbers from 1. I couldn't think of a way to exploit these with 
GLIBC. 
 
3) Gives quite random behaviour. It seems to be crashing when trying to 
copy 4GB of data, but the addresses are always different and sometimes it's 
actually trying to read/write data at address sent by client. Anyway, 
Microsoft said it was only DoS, and it does seem so. 
 
 
Vulnerable versions 
------------------- 
 
imap-2002b and Pine 4.53 are vulnerable. imap-2002c is fixed. 
 
Evolution 1.2.4 is vulnerable. 1.3.2 (beta) is fixed. 
 
Mozilla 1.3 and 1.4a are vulnerable. 1.3.1 and 1.4b fixed 1). 
 
mutt 1.4.1 and Balsa 2.0.10 are "vulnerable". Doesn't look exploitable, 
don't worry too much about it. 
 
Sylpheed 0.8.11 (including -claws) is "vulnerable". Just a crash, don't 
worry about it. 
 
Outlook Express 6.00.2800.1106 was tested to be "vulnerable". Apparently 
just a crash. Fix is in next OE service pack. 
 
Eudora 5.2.1 is vulnerable. No replies to bug report I sent.