Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw

Re: SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw

From: Stan Bubrouski <stan_at_ccs.neu.edu>
Date: Sat, 01 Jun 2002 19:12:33 -0400

3APA3A wrote:
> Original version
> http://www.security.nnov.ru/advisories/courier.asp
>
> Title: Courier CPU exhaustion
> Author: ZARAZA <3APA3A_at_security.nnov.ru>
> Date: May, 31 2002
> Affected: courier-0.38.1
> Vendor: Double Precision, Inc.
> Risk: Low to average
> Remote: Yes
> Exploitable: Yes
> Vendor notified: May, 20 2002
> Product URL: http://www.courier-mta.org
> SECURITY.NNOV URL: http://www.security.nnov.ru
> Advanced info: http://www.security.nnov.ru/search/news.asp?binid=2055
>
> Introduction:
>
> Courier is widely used suite of e-mail services written with security in
> mind.
>
> Problem:
>
> A loop with unchecked iteration counter controlled by user input may
> cause courier to freeze for over the minute with 100% CPU usage on
> single command or message.
>
> Details:
>
> rfc822_parsedt.c:
>
> unsigned day=0, mon=0, year;
> ...
> unsigned y;
> ...
> if (year < 1970) return (0);
> ...
> for (y=1970; y<year; y++) ...
>
> year may be any unsigned integer.
>
>
> Vendor:
>
> Sam Varshavchik <mrsam_at_courier-mta.com> was contacted on May, 20.
> Problem was patched in CVS version on the same day.
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
> Bonus on imap-uw:
>
> Imap-uw allows user to access any file he could access locally. It's not
> a bug it's insecurity by design (it was not created with security in
> mind ;-). According FAQ from vendor's web site (it's not mentioned in a
> FAQ inside program distribution):
>
> -=-=-=-=-=-=-
>
> 5.1 I see that the IMAP server allows access to arbitary files on the
> system, including /etc/passwd! How do I disable this?

This issue with uw-imapd has been known about for years and years and
years. I brought this up about two years ago and I noticed others had
as well. Changing one if statement in a source file fixes the behaviour
and yes it is a FEATURE not a BUG. I don't recall the exact location or
if statement to change but looking through uw-imapd archives is how I
found it out a couple years ago, and I recommend you do the same.

-Stan
Received on Jun 01 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]