pop2d.imap.txt

`Date: Wed, 26 May 1999 20:37:13 +0100  
From: Chris Evans <[email protected]>  
To: [email protected]  
Subject: Remote vulnerability in pop2d  
  
Hi  
  
Firstly, sorry if any details are hazy - this is from memory (it's two  
months since I last looked at this). This bug concerns the pop-2 daemon,  
which is a part of the Washington University imap package.  
  
I've been waiting for a CERT advisory, but one doesn't seem to be  
forthcoming. Two and a half months is a long time. Also, the problem has  
been fixed for a long time. I'm posting because  
  
a) A fixed full release is available, so people should know about it  
b) The flaw is fairly basic and easy to spot, so active exploitation could  
well be happening  
  
Quick details  
=============  
  
Compromise possible: remote users can get a shell as user "nobody"  
If: runing pop-2d v4.4 or earlier  
  
Fixed version: imap-4.5, available now.  
  
  
Not vulnerable  
==============  
RedHat-6.0 isn't vulnerable because imap-4.5 was shipped.  
  
Vulnerable  
==========  
  
Anyone who shipped the pop-2 component of imap-4.4 or earlier, including  
earlier RedHat releases  
  
  
Details of flaw  
===============  
  
pop-2 and pop-3 support the concept of an "anonymous proxy" whereby remote  
users can connect and open an imap mailbox on _any server they have a  
valid account on_. An attacker connects to the vulnerable pop-2 port and  
connects it to an imap server under their control. Once logged on, issuing  
a "FOLD" command with a long arg will cause an overflow of a stack based  
buffer.  
  
The arg to FOLD must be somewhere around 1000 bytes - not much bigger, not  
much smaller. Look at the source.  
  
Additional  
==========  
  
I think the concept of "anonymous proxy" is just fundamentally insecure.  
It opens up a large code path for remote usrs to explore, i.e. the  
protocol parsing of imap, etc.  
  
The author of imap very responsibly includes a compile time flag to  
disable this in 4.5.  
  
Better still, RedHat-6.0 ships with the proxy disabled.  
  
  
Cheers  
Chris  
  
--------------------------------------------------------------------------------  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
We have received reports that the version of the imap suite  
in Debian GNU/Linux 2.1 has a vulnerability in its POP-2 daemon,  
which can be found in the ipopd package. Using this vulnerability  
it is possible for remote users to get a shell as user "nobody"  
on the server.  
  
We recommend you upgrade your ipopd package immediately.  
  
wget url  
will fetch the file for you  
dpkg -i file.deb  
will install the referenced file.  
  
Debian GNU/Linux 2.1 alias slink  
- --------------------------------  
  
This version of Debian was released only for Intel, the Motorola  
680x0, the alpha and the Sun sparc architecture.  
  
Source archives:  
http://security.debian.org/dists/stable/updates/source/imap_4.5-0slink2.diff.gz  
MD5 checksum: 606f893869069eee68f4c1e31392af29  
http://security.debian.org/dists/stable/updates/source/imap_4.5-0slink2.dsc  
MD5 checksum: 93ed80a3619586ff9f3246003aca2448  
http://security.debian.org/dists/stable/updates/source/imap_4.5.orig.tar.gz  
MD5 checksum: 59afe4be5fcd17c20d241633a4a3d0ac  
  
Sun Sparc architecture:  
http://security.debian.org/dists/stable/updates/binary-sparc/c-client-dev_4.5-0slink2_sparc.deb  
MD5 checksum: 2de5363a3ea9f27c1aa064c3102567cc  
http://security.debian.org/dists/stable/updates/binary-sparc/imap_4.5-0slink2_sparc.deb  
MD5 checksum: 87638b6ad06094f30ff6d2dddfd10b8b  
http://security.debian.org/dists/stable/updates/binary-sparc/ipopd_4.5-0slink2_sparc.deb  
MD5 checksum: aa6621e2f7e2df751489c397e9e169a8  
  
Intel ia32 architecture:  
http://security.debian.org/dists/stable/updates/binary-i386/c-client-dev_4.5-0slink2_i386.deb  
MD5 checksum: fd92656c7281a4d8322b6da1285475cd  
http://security.debian.org/dists/stable/updates/binary-i386/imap_4.5-0slink2_i386.deb  
MD5 checksum: c92eaece7e431c84708909362afad07d  
http://security.debian.org/dists/stable/updates/binary-i386/ipopd_4.5-0slink2_i386.deb  
MD5 checksum: 29685847b0eef8307383a428b1d02be2  
  
Motorola 680x0 architecture:  
http://security.debian.org/dists/stable/updates/binary-m68k/c-client-dev_4.5-0slink2_m68k.deb  
MD5 checksum: eeab449299e9f2d3fc97db69110b4432  
http://security.debian.org/dists/stable/updates/binary-m68k/imap_4.5-0slink2_m68k.deb  
MD5 checksum: 4bd0fbaa392b6013f6caa33b04578764  
http://security.debian.org/dists/stable/updates/binary-m68k/ipopd_4.5-0slink2_m68k.deb  
MD5 checksum: d43f502971afc531923903f3ac7b5b3f  
  
Alpha architecture:  
http://security.debian.org/dists/stable/updates/binary-alpha/c-client-dev_4.5-0slink2_alpha.deb  
MD5 checksum: 6732ae9495ee29590ed85cc482fbda97  
http://security.debian.org/dists/stable/updates/binary-alpha/imap_4.5-0slink2_alpha.deb  
MD5 checksum: d0ee05b972d5d1bc1d066e2bae4d8c8b  
http://security.debian.org/dists/stable/updates/binary-alpha/ipopd_4.5-0slink2_alpha.deb  
MD5 checksum: 89c3931092537d0eb23fb50fa57f1bb0  
  
  
These files will be copied into  
ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon.  
  
Please note you can also use apt to always get the latest security  
updates. To do so add the following line to /etc/apt/sources.list:  
  
deb http://security.debian.org/ stable updates  
  
  
- --  
Debian GNU/Linux . Security Managers . [email protected]  
[email protected]  
Christian Hudon . Wichert Akkerman . Martin Schulze  
<[email protected]> . <[email protected]> . <[email protected]>  
  
-----BEGIN PGP SIGNATURE-----  
Version: 2.6.3ia  
Charset: noconv  
  
iQB1AwUBN1sKgajZR/ntlUftAQGqlgL/d+dzjkxSf0bVDuFmWmeMgH9UxhpJXAwV  
0EAtFEY7oRyNpiRLHojnJ48sPviIetVsojHsz9w4uh787skIUJYdFTJN+/O+kxLq  
TeF2k+ESbtLJav5QCnVrR7CfiIhYMLgx  
=Z3ew  
-----END PGP SIGNATURE-----  
  
  
--  
To UNSUBSCRIBE, email to [email protected]  
with a subject of "unsubscribe". Trouble? Contact [email protected]  
  
--------------------------------------------------------------------------------  
  
Date: Thu, 10 Jun 1999 20:33:11 +0200  
From: Raymond Dijkxhoorn <[email protected]>  
To: [email protected]  
Subject: imap errata (fwd)  
  
>From: Jeff Johnson <[email protected]>  
  
This is a security errata for the imap package that corrects a known  
ipop2d exploit in Red Hat 4.x and Red Hat 5.x.  
  
A more complete description of current problems with imap may be found at  
http://developer.redhat.com/bugzilla  
by querying the imap component. Bug #3161 is the report of ipop2d exploit.  
  
Users of Red Hat Linux 4.x and 5.x should upgrade to the new version of imap  
in order to correct this security problem.  
  
Red Hat Linux 4.x:  
------------------  
On alpha:  
rpm -Uvh ftp://updates.redhat.com/4.2/alpha/imap-4.5-0.4.2.alpha.rpm  
On i386:  
rpm -Uvh ftp://updates.redhat.com/4.2/i386/imap-4.5-0.4.2.i386.rpm  
On sparc:  
rpm -Uvh ftp://updates.redhat.com/4.2/sparc/imap-4.5-0.4.2.sparc.rpm  
The source is available at  
ftp://updates.redhat.com/4.2/SRPMS/imap-4.5-0.4.2.src.rpm  
  
Red Hat Linux 5.x:  
------------------  
On alpha:  
rpm -Uvh ftp://updates.redhat.com/5.2/alpha/imap-4.5-0.5.2.alpha.rpm  
On i386:  
rpm -Uvh ftp://updates.redhat.com/5.2/i386/imap-4.5-0.5.2.i386.rpm  
On sparc:  
rpm -Uvh ftp://updates.redhat.com/5.2/sparc/imap-4.5-0.5.2.sparc.rpm  
The source is available at  
ftp://updates.redhat.com/5.2/SRPMS/imap-4.5-0.5.2.src.rpm  
  
These packages have all been PGP signed by Red Hat for security.  
--  
Jeff Johnson ARS N3NPQ  
[email protected] ([email protected])  
Chapel Hill, NC  
  
  
  
--  
To unsubscribe: mail [email protected] with  
"unsubscribe" as the Subject.  
  
--  
To unsubscribe:  
mail -s unsubscribe [email protected] < /dev/null  
  
`