Don't know if you all have seen this.
Jim
-----Original Message-----
From: DCT DS ALERTCENTRE=20
Sent: Monday, August 23, 2004 3:11 AM
To: G UNIX SECURITY NETWORK
Subject: FW: UNIRAS Brief - 446/04 - iDEFENSE Security Advisory 08.18.04
- Courier-IMAP Remote Format String Vulnerability
-----Original Message-----
From: UNIRAS (HM Govt CERT (HD)) [mailto:uniras@niscc.gov.uk]=20
Sent: Monday, August 23, 2004 6:01 AM
To: uniras@niscc.gov.uk
Cc: interim@lists.niscc.gov.uk
Subject: UNIRAS Brief - 446/04 - iDEFENSE Security Advisory 08.18.04 -
Courier-IMAP Remote Format String Vulnerability
=20
-----BEGIN PGP SIGNED MESSAGE-----
-
------------------------------------------------------------------------
----------
UNIRAS (UK Govt CERT) Briefing Notice - 446/04 dated 23.08.04 Time:
11:55 =20
UNIRAS is part of NISCC (National Infrastructure Security
Co-ordination Centre)
-
------------------------------------------------------------------------
----------=20
UNIRAS material is also available from its website at
www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
-
------------------------------------------------------------------------
----------
Title
=3D=3D=3D=3D=3D
iDEFENSE Security Advisory 08.18.04 - Courier-IMAP Remote Format String
Vulnerability
Detail
=3D=3D=3D=3D=3D=3D=20
Remote exploitation of a format string vulnerability in Double Precision
Inc.'s,=20
Courier-IMAP daemon allows attackers to execute arbitrary code.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D=3D
=20
ESB-2004.0527 -- iDEFENSE Security Advisory 08.18.04
Courier-IMAP Remote Format String Vulnerability
23 August 2004
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D=3D
=20
Product: Courier-IMAP 2.2.1 and prior
Publisher: iDEFENSE
Operating System: Linux variants
UNIX variants
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CAN-2004-0777
Comment: Systems running Courier-IMAP 2.2.1 and prior are vulnerable if
the
option DEBUG_LOGIN is set to 1 or 2 in the imapd configuration
file.
- - --------------------------BEGIN INCLUDED TEXT--------------------
Courier-IMAP Remote Format String Vulnerability
iDEFENSE Security Advisory 08.18.04:
I. BACKGROUND
Courier-IMAP is an IMAP/POP3 mail server popular on sites utilizing
Qmail/Exim/Postfix.=20
More information is available here:
http://www.courier-mta.org/imap/
II. DESCRIPTION
Remote exploitation of a format string vulnerability in Double Precision
Inc.'s,=20
Courier-IMAP daemon allows attackers to execute arbitrary code.
The vulnerability specifically exists within the auth_debug() function
defined in=20
authlib/debug.c:
void auth_debug( const char *fmt, va_list ap ) {
char buf[DEBUG_MESSAGE_SIZE];
int i;
int len;
// print into buffer to be able to replace control and other=20
// unwanted chars.
vsnprintf( buf, DEBUG_MESSAGE_SIZE, fmt, ap );
len =3D strlen( buf );
// replace nonprintable chars by dot
for( i=3D0 ; i<len ; i++ )
if( !isprint(buf[i]) )
buf[i] =3D '.';
// emit it
fprintf( stderr, buf ); // <- Format String Vulnerability
fprintf( stderr, "\n" );
}
The 'buf' variable utilized in the fprintf() call is attacker-controlled
and can=20
contain format string modifiers allowing an attacker to manipulate the
stack and=20
eventually execute arbitrary code.
III. ANALYSIS
Successful exploitation does not require authentication thereby allowing
any remote=20
attacker to execute arbitrary code under the privileges of the user that
the IMAP=20
daemon runs as. The vulnerable function
auth_debug() is only called if login debugging is enabled requiring that
the=20
'DEBUG_LOGIN' be set to either '1' or '2' in the imapd configuration
file.
IV. DETECTION
iDEFENSE has confirmed the existence of this vulnerability in
Courier-IMAP, v2.2.1.=20
It is reported that all versions of Courier-IMAP from 1.6.0 to 2.2.1
inclusive are=20
vulnerable.
V. WORKAROUND
Disable the login debugging option of Courier-IMAP. This can be
accomplished by=20
setting 'DEBUG_LOGIN' to '0' in the configuration file usually located
at=20
/usr/lib/courier-imap/etc/imapd.
VI. VENDOR RESPONSE
This issue has been resolved in the latest version of Courier IMAP
(v3.0.7).=20
As well, the default setting of 'DEBUG_LOGIN' is '0'.
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name=20
CAN-2004-0777 to this issue. This is a candidate for inclusion in the
CVE list=20
(http://cve.mitre.org), which standardizes names for security problems.
VIII. DISCLOSURE TIMELINE
08/10/2004 Initial vendor contact
08/10/2004 iDEFENSE clients notified
08/11/2004 Initial vendor response
08/18/2004 Public disclosure
IX. CREDIT
An anonymous contributor is credited with discovering this
vulnerability.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
X. LEGAL NOTICES
Copyright (c) 2004 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It=20
may not be edited in any way without the express written consent of
iDEFENSE.=20
If you wish to reprint the whole or any part of this alert in any other
medium=20
other than electronically, please email customerservice@idefense.com for
permission.
Disclaimer: The information in the advisory is believed to be accurate
at the=20
time of publishing based on currently available information. Use of the=20
information constitutes acceptance for use in an as is condition. There
are=20
no warranties with regard to this information. Neither the author nor
the=20
publisher accepts any liability for any direct, indirect, or
consequential=20
loss or damage arising from use of, or reliance on, this information.
- - --------------------------END INCLUDED TEXT--------------------
=20
iQCVAwUBQSmB5yh9+71yA2DNAQJReQP/VjFFC+DOvlhCdGdZKvuC67zwdLZW/AD0
uwAdYgtDYvLD0/kbAtzcRzKWzC++4aE2AJ+ETj+LIbJlZcSN24Z6nuik6YL91p4n
7hSTnNTIYQ5Jkg1NudLl5Q9tu/+TnbF/8Jof7Jbu4tfx+ZqgoMNE2LPIrbSVxnbb
5tn1qxzWWGk=3D
=3Da0jS
- -----END PGP SIGNATURE-----
-
------------------------------------------------------------------------
----------
For additional information or assistance, please contact the HELP Desk
by=20
telephone or Not Protectively Marked information may be sent via=20
EMail to: uniras@niscc.gov.uk
Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749
Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts
-
------------------------------------------------------------------------
----------
UNIRAS wishes to acknowledge the contributions of iDEFENSE for the
information=20
contained in this Briefing.=20
-
------------------------------------------------------------------------
----------
This Briefing contains the information released by the original author.
Some=20
of the information may have changed since it was released. If the
vulnerability=20
affects you, it may be prudent to retrieve the advisory from the
canonical site=20
to ensure that you receive the most current information concerning that
problem.
Reference to any specific commercial product, process, or service by
trade=20
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The
views=20
and opinions of authors expressed within this notice shall not be used
for=20
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors=20
or omissions contained within this briefing notice. In particular, they
shall=20
not be liable for any loss or damage whatsoever, arising from or in
connection=20
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST)=20
and has contacts with other international Incident Response Teams (IRTs)
in=20
order to foster cooperation and coordination in incident prevention, to
prompt=20
rapid reaction to incidents, and to promote information sharing amongst
its=20
members and the community at large.=20
-
------------------------------------------------------------------------
----------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQCVAwUBQSnOMIpao72zK539AQGW7gP/YGRzS3M/CLVnIEus5Zwwofz8UNAPg/Hf
c2WQjOVw+j4+Gne9QGVsuUvhYFJ9xNfLjs1Lrt3GH2jHeH5qlblBVVhiR3VCXG36
kYtdYFYY3duLm+p06qVfJillWsraIKydXJn3IUuYjaPaVjNREy4zpnH4aDEapL8J
8NbNhuH5dl0=3D
=3DC4AZ
-----END PGP SIGNATURE-----
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Aug 23 09:50:58 2004
This archive was generated by hypermail 2.1.8 : Mon Aug 23 2004 - 09:51:01 AKDT