Mailing List Archive

Support open source code!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IMAP was (Re: tlug: kinput2 and mule)

tlug note from Jim Schweizer <>

On 10-Mar-97 C. Oda wrote:
>tlug note from "C. Oda" <>
>On Sun, 9 Mar 1997, Stephen J. Turnbull wrote:
>turnbull>    Craig> I'm trying a new system of reading mail. 
>turnbull>    Craig> I'm using Pine
>turnbull>    Craig> 3.95 with IMAP4,
>What is IMAP?
>IMAP stands for Internet Message Access Protocol. It is a
>method of accessing electronic mail or bulletin board
>messages that are kept on a (possibly shared) mail server. 

Funny you should mention IMAP. I just got a security advisory
about it:

---begin forwarded message----------------------
                            Secure Networks Inc.

                             Security Advisory
                               March 2, 1997

                     Buffer Overflow in imapd and ipop3d

A vulnerability exists within Mark Crispin's mail server toolkit
that will allow arbitrary individuals to obtain root access to
servers running imapd and ipop3d.  This vulnerability is present
in both the POP3 and IMAP2bis servers included in the PINE
distribution, as well as the IMAP2bis and IMAP4 servers included
in Mr. Crispin's IMAP toolkit.

Technical Details
The vulnerable mail servers call a library routine to affect a
Unix "login", authenticating the user against it's password. A
stack overrun exists in this routine. In essence this will allow
any client with the ability to attempt a login to enter an overly
long username to cause arbitrary machine code to execute.

Both the POP and IMAP servers Mr. Crispin distributes discard
supervisory privileges sometime after this authentication phase.
Unfortunately, the overflow occurs before this happens, and the
vulnerability will thus allow an attacker superuser access.

The problematic routine is server_login(), which is in
"log_xxx.c" in the OS-dependent code tree of the server source
distribution. The problem occurs due to the routine's attempt to
allow a case insensitive match on the username, which it does by
copying the username provided to the routine into an automatic
variable in the routine's stack.

The username buffer is MAILTMPLEN long, which defaults to 1024
bytes.  Unfortunately, the server's input buffer is greater than
this, allowing a remote client to feed the routine a username
greater than 1024 bytes.  If the excess characters in this
username contain a valid virtual memory address, the routine will
overwrite it's stack frame when copying the username, causing the
return from the routine to jump to an unexpected location.

Interestingly, the buffer is converted to lowercase after being
copied.  This provides a slight technical challenge, as the
machine code required to take over the server contains uppercase
characters. However, modifications to the "standard" stack
overrun exploit code to reverse the affects of this lowercasing
were trivial. On i386 4.4BSD, the VM address required to redirect
server_login()'s return need not contain uppercase

The flawed code reads:

long server_login (char *user, char *pass, int argc, char
        char tmp[MAILTMPLEN];
        struct passwd *pw = getpwnam (user);
                /* allow case-independent match */
        if(!pw) pw = getpwnam (lcase (strcpy (tmp, user)));

        <complete server login and return>


Remote individuals, who do not have a valid username and
password for the mail server, can obtain root access to systems
running a vulnerable IMAP or POP server.

Vulnerable Systems

Any system running Mark Crispin's POP or IMAP server, of a
release earlier than 4.1beta is vulnerable.  To determine whether
your system is vulnerable, telnet to ports 109, 110, 143 and 220.
If you see a banner looking like:

* OK IMAP2bis Service 7.8(92) at Mon, 3 Mar 1997
12:00:00-0500 (EST)


* OK IMAP4 v10.00 server ready


+OK POP3 3.0(10) w/IMAP client (Report problems in
this server to at Mon, 3 Mar 1998
12:00:00 -0500

Then your system is vulnerable.  If you see "POP3 3.3" or
"IMAP4rev1" or later, your POP or IMAP server is not vulnerable.

POP servers not derived from Mark Crispin's code, including the
somewhat confusingly named "pop3d" from the University of
California at Davis are not vulnerable to the attack described in
this advisory. 

Similarly, the University of California at Berkeley popper, and
derived POP servers, including the Qualcomm popper, are not
vulnerable to this attack.

Fix Information

As a temporary workaround, you can disable the POP and IMAP
services in /etc/inetd.conf, and then kill and restart inetd.

You can fix the problem in the source yourself, by changing the
server_login() function to read:

        char tmp[MAILTMPLEN];
        struct passwd *pw = getpwnam (user);

        if(!pw) {
                strncpy(tmp, user, MAILTMPLEN - 1);
                pw = getpwnam(lcase(tmp));

Or, as a final option, you can switch to the IMAP 4.1 beta
distribution, which can be found at

Additional Information

If you have any questions about this advisory, feel free to
contact me, by sending mail to  If you wish to
encrypt your messages to me, feel free to use the following PGP
public key.

Version: 2.6.2

Sent by: Jim Schweizer <>
On: 10-Mar-97 at: 18:22:30 JST
Lieberman's Law:
Everybody lies, but it doesn't matter since nobody
a word from the sponsor will appear below
The TLUG mailing list is proudly sponsored by TWICS - Japan's First
Public-Access Internet System.  Now offering 20,000 yen/year flat
rate Internet access with no time charges.  Full line of corporate
Internet and intranet products are available.
Tel: 03-3351-5977   Fax: 03-3353-6096

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links