Cyrus IMAP pop3d popsubfolders buffer overflow

2008-10-30T00:00:00
ID SAINT:46DA396CAC625DBF892B514437F4C3DF
Type saint
Reporter SAINT Corporation
Modified 2008-10-30T00:00:00

Description

Added: 10/30/2008
CVE: CVE-2006-2502
BID: 18056
OSVDB: 25853

Background

Cyrus IMAP is an open-source IMAP, POP3, and KPOP server. The **popsubfolders** configuration option allows POP3 users to access subfolders by specifying the subfolder name when logging in.

Problem

When the **popsubfolders** configuration option is enabled, a buffer overflow in the **USER** command allows remote attackers to execute arbitrary commands.

Resolution

Upgrade to Cyrus IMAP 2.3.4 or higher.

References

<http://www.frsirt.com/english/advisories/2006/1891>

Limitations

Exploit works on Cyrus IMAP 2.3.2 on Red Hat Enterprise Linux 4 if POP3 is enabled with the **popsubfolders** configuration setting.

In order for the exploit to succeed, code execution on the stack must be enabled for the **pop3d** executable file.

Platforms

Red Hat