UW-IMAP邮箱名称解析溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1197650 漏洞类型 缓冲区溢出
发布时间 2005-10-04 更新时间 2006-12-15
CVE编号 CVE-2005-2933 CNNVD-ID CNNVD-200510-081
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/15009
https://cxsecurity.com/issue/WLB-2005100008
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200510-081
|漏洞详情
UW-IMAP是Linux和UNIX系统的免费IMAP服务,捆绑于各种Linux版本中。UW-IMAP中存在缓冲区溢出漏洞,起因是没有对用户提供的值进行充分的边界检查。src/c-client/mail.c中的mail_valid_net_parse_work()函数负责从用户提供的数据中获取并验证指定的邮箱名。在解析邮箱名时存在一个错误,会导致在解析单个双引号字符后继续拷贝内存,直到找到下一个单引号字符。成功利用这个漏洞的攻击者会以IMAP服务程序的权限执行任意代码。
|漏洞EXP
UW-IMAP Netmailbox Name Parsing Buffer Overflow Vulnerability

iDEFENSE Security Advisory 10.04.05
www.idefense.com/application/poi/display?id=313&type=vulnerabilities
October 4, 2005

I. BACKGROUND

UW-IMAP is a popular free IMAP service for Linux and UNIX systems and 
is distributed with various Linux distributions. More information can 
be found at the vendor website:

http://www.washington.edu/imap/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in the University
of Washington's IMAP Server (UW-IMAP) allows attackers to execute 
arbitrary code.

The vulnerability specifically exists due to insufficient bounds
checking on user-supplied values. The mail_valid_net_parse_work() 
function in src/c-client/mail.c is responsible for obtaining and 
validating the specified mailbox name from user-supplied data. An error 
in the parsing of supplied mailbox names will continue to copy memory 
after a " character has been parsed until another " character is found 
as shown here:

long mail_valid_net_parse_work (char *name,NETMBX *mb,char *service)
{
  int i,j;
#define MAILTMPLEN 1024        /* size of a temporary buffer */
  char c,*s,*t,*v,tmp[MAILTMPLEN],arg[MAILTMPLEN];
    
   ...snip...
    
  if (t - v) {            /* any switches or port specification? */
1]  strncpy (t = tmp,v,j);    /* copy it */
    tmp[j] = '
|受影响的产品
University of Washington imap 2004f University of Washington imap 2004e University of Washington imap 2004d University of Washington imap 2004c University of Washington imap 2004b
|参考资料

来源:US-CERT
名称:VU#933601
链接:http://www.kb.cert.org/vuls/id/933601
来源:www.washington.edu
链接:http://www.washington.edu/imap/
来源:IDEFENSE
名称:20051004UW-IMAPNetmailbox
名称ParsingBufferOverflowVulnerability
链接:http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities&flashstatus=true
来源:SECUNIA
名称:17062
链接:http://secunia.com/advisories/17062/
来源:FULLDISC
名称:20051004iDEFENSESecurityAdvisory10.04.05:UW-IMAPNetmailbox
名称ParsingBufferOverflowVulnerability
链接:http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0081.html
来源:XF
名称:uw-imap-mailbox-name-bo(22518)
链接:http://xforce.iss.net/xforce/xfdb/22518
来源:BID
名称:15009
链接:http://www.securityfocus.com/bid/15009
来源:FEDORA
名称:FLSA:184098
链接:http://www.securityfocus.com/archive/1/archive/1/430303/100/0/threaded
来源:FEDORA
名称:FLSA:170411
链接:http://www.securityfocus.com/archive/1/archive/1/430296/100/0/threaded
来源:REDHAT
名称:RHSA-2006:0501
链接:http://www.redhat.com/support/errata/RHSA-2006-0501.html
来源:REDHAT
名称:RHSA-2005:850
链接: