UW-imapd Netmailbox Name mail_valid_net_parse_work() Function Overflow

2005-10-04T07:10:18
ID OSVDB:19856
Type osvdb
Reporter infamous41md(infamous41md@hotpop.com)
Modified 2005-10-04T07:10:18

Description

Vulnerability Description

A remote overflow exists in UW-imapd. The mail_valid_net_parse_work() function in 'src/c-client/mail.c' fails to properly validate the user-supplied mailbox name resulting in a stack overflow. With a specially crafted request, a remote authenticated attacker can cause arbitrary code execution resulting in a loss of integrity.

Technical Description

Successful exploitation requires valid credentials on the IMAP server.

Solution Description

Upgrade to version imap-2004g or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

A remote overflow exists in UW-imapd. The mail_valid_net_parse_work() function in 'src/c-client/mail.c' fails to properly validate the user-supplied mailbox name resulting in a stack overflow. With a specially crafted request, a remote authenticated attacker can cause arbitrary code execution resulting in a loss of integrity.

References:

Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Security Tracker: 1015000 Secunia Advisory ID:17062 Secunia Advisory ID:17148 Secunia Advisory ID:19832 Secunia Advisory ID:20222 Secunia Advisory ID:17483 Secunia Advisory ID:17930 Secunia Advisory ID:20210 Secunia Advisory ID:17152 Secunia Advisory ID:17215 Secunia Advisory ID:17288 Secunia Advisory ID:17336 Secunia Advisory ID:18554 Secunia Advisory ID:20951 Secunia Advisory ID:21252 Secunia Advisory ID:17276 Secunia Advisory ID:17928 Secunia Advisory ID:21564 RedHat RHSA: RHSA-2005:848 RedHat RHSA: RHSA-2005:850 RedHat RHSA: RHSA-2006:0276 RedHat RHSA: RHSA-2006:0549 RedHat RHSA: RHSA-2006:0501 Other Advisory URL: http://www.debian.org/security/2005/dsa-861 Other Advisory URL: http://www.trustix.org/errata/2005/0055/ Other Advisory URL: http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.500161 Other Advisory URL: http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities Other Advisory URL: http://frontal1.mandriva.com/security/advisories?name=MDKSA-2005:194 Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200510-10.xml Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0081.html CVE-2005-2933