Bugzilla – Bug 63201
VUL-0: CVE-2004-1013: cyrus-imapd multiple remote vulnerabilites
Last modified: 2021-10-13 10:22:08 UTC
From: Stefan Esser <sesser@php.net> To: vendor-sec@lst.de Subject: [vendor-sec] Cyrus IMAP Server - Multiple Vulnerabilities [-- Attachment #1 [details] --] [-- Type: text/plain, Encoding: 7bit, Size: 6.0K --] Hello Vendor Sec, attached is my mail to the Cyrus IMAP guys. They meanwhile replied and said that their plan is to release Cyrus IMAP 2.2.9 with the fixes already next week. They want to give me more details about their planned release soon. (So the 24th is no longer the target date) Stefan Esser --- from here my original mail to cyrus imap guys --- Cyrus IMAP Server - multiple remote vulnerabilities --------------------------------------------------- An Audit of the Cyrus IMAP Server from my side revealed 3 remotely exploitable vulnerabilities. While all 3 should be patched within 2.2.8 the one in the middle is not exploitable after 2.2.6 because of another fix in the same area. Please handle this information carefully and contact me back as soon as you have verified the problems. After you have verified their existance I would like to do a coordinated disclosure with vendor-sec of this bug in about 2 weeks. My prefered date is 24th November 2004 : 15:00 CET Please tell me if there are any problems with the date, etc... Greetings, Stefan Esser and here come the bugs... [01 - Cyrus IMAP Server - IMAPMAGICPLUS preauthentification overflow] Affected Versions: 2.2.4 - 2.2.8 Desc: When the option imapmagicplus is activated LOGIN and some other commands do not properly check the length of the supplied username before copying it into a stack buffer. This results in an easy to exploit stack overflow. Code: imap/imapd.c - line 290 ----------------------- static int imapd_canon_user(sasl_conn_t *conn, void *context, const char *user, unsigned ulen, unsigned flags, const char *user_realm, ....) { char userbuf[MAX_MAILBOX_NAME+1], *p; size_t n; int r; if (!ulen) ulen = strlen(user); if (config_getswitch(IMAPOPT_IMAPMAGICPLUS)) { /* make a working copy of the auth[z]id */ memcpy(userbuf, user, ulen); <---- copy without check userbuf[ulen] = '\0'; user = userbuf; imap/imapd.c - line 348 ----------------------- static int imapd_proxy_policy(sasl_conn_t *conn, void *context, const char *requested_user, unsigned rlen, const char *auth_identity, unsigned alen, const char *def_realm, unsigned urlen, struct propctx *propctx) { if (config_getswitch(IMAPOPT_IMAPMAGICPLUS)) { char userbuf[MAX_MAILBOX_NAME+1], *p; size_t n; /* make a working copy of the authzid */ if (!rlen) rlen = strlen(requested_user); memcpy(userbuf, requested_user, rlen); <-- copy without check userbuf[rlen] = '\0'; [02 - Cyrus IMAP Server - PARTIAL out of bounds memory corruption] Affected Versions: <= 2.2.6 (because unexploitable in 2.2.7 + 2.2.8) Desc: In imapd versions prior to 2.2.7 the cmd_partial function did overwrite the closing '[' bracket of a body/body.peek entity. Due to a bug in the parser it is possible that this overwrite takes place outside of the allocated buffer. This is f.e. the case when the parser hits a "body[p" in this case the pointer is moved 10 forward which could lead to bypassing the end of the allocated buffer and could therefore result in remote code execution through a one byte heap control structure memory corruption Code: imap/imapd.c - line 3157 (the wrong one bye write is fixed in 3172) -------------------------------------------------------------------- void cmd_partial(const char *tag, const char *msgno, char *data, const char *start, const char *count) { ... else if (!strncmp(data, "body[", 5) || !strncmp(data, "body.peek[", 10)) { p = section = data + 5; if (*p == 'p') { p = section += 5; <--- here we could leave the buffer } [03 - Cyrus IMAP Server - FETCH out of bounds memory corruption] Affected Versions: <= 2.2.8 Desc: Similiar to the PARTIAL out of bounds memory corruption the parser of the FETCH command may leave the allocated buffer when it hits a "BODY[P", "BINARY[S" or a "BINARY[P". The execution of the PARSE_PARTIAL macro after such an incident can lead to the same one byte memory corruption on the heap that could lead to remote code execution Code: imap/imapd.c - lines 2774, 2777, 2817 ------------------------------------- void cmd_fetch(char *tag, char *sequence, int usinguid) { char *cmd = usinguid ? "UID Fetch" : "Fetch"; static struct buf fetchatt, fieldname; ... case 'B': if (!strncmp(fetchatt.s, "BINARY[", 7) || !strncmp(fetchatt.s, "BINARY.PEEK[", 12) || !strncmp(fetchatt.s, "BINARY.SIZE[", 12)) { int binsize = 0; p = section = fetchatt.s + 7; if (*p == 'P') { p = section += 5; <--- possible break here } else if (*p == 'S') { p = section += 5; <--- another break here binsize = 1; } ... else if (!strncmp(fetchatt.s, "BODY[", 5) || !strncmp(fetchatt.s, "BODY.PEEK[", 10)) { p = section = fetchatt.s + 5; if (*p == 'P') { p = section += 5; <--- and again here } -- -------------------------------------------------------------------------- Stefan Esser s.esser@e-matters.de e-matters Security http://security.e-matters.de/ GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0x15ABDA78 Key fingerprint 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78 -------------------------------------------------------------------------- Did I help you? Consider a gift: http://wishlist.suspekt.org/ --------------------------------------------------------------------------
<!-- SBZ_reproduce --> see attachment
Here are some CVE names. Please can you let the Cyrus folks know, with issues that are this serious it's worth trying to get upstream to use the CVE names too. Because of the different affected versions this needs three names > [01 - Cyrus IMAP Server - IMAPMAGICPLUS preauthentification overflow] CAN-2004-1011 > [02 - Cyrus IMAP Server - PARTIAL out of bounds memory corruption] CAN-2004-1012 > [03 - Cyrus IMAP Server - FETCH out of bounds memory corruption] CAN-2004-1013
CRD origiunally 24.11.2004, but most likely will be released next week by cyrus-imapd team. No patches yet, inquiring...
Created attachment 26056 [details] imapd-bugdemo.tgz
regarding comment 2, what is CVE names?
Created attachment 26089 [details] my patch proposal for 2.2.8 Please comment
Created attachment 26093 [details] New patch, obsoleting old one ...
from readme in imapd-bugdemo.tgz: - cmd_fetch.output - this is the return value on a test server clearly the OK line after the 2nd BAD line is wrong. Without the bug OK line would be like the 1st BAD line where this is the content of cmd_fetch.output: * OK XXXXX Cyrus IMAP4 v2.1.16-IPv6-Debian-2.1.16-10 server ready 0 OK Anonymous access granted * FLAGS (\Answered \Flagged \Draft \Deleted \Seen) * OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen \*)] * 0 EXISTS * 0 RECENT * OK [UIDVALIDITY 1099606002] * OK [UIDNEXT 1] 0 OK [READ-WRITE] Completed 0 BAD Invalid body section 0 BAD Invalid Fetch attribute BODY.P11111111111111] 0 NO No matching messages * BYE LOGOUT received 0 OK Completed So what OK line after the 2nd BAD line might be talked about??? Or is that a typo and the "NO" line after the 2nd BAD line is meant?
packages submittet
Created attachment 26228 [details] the patch upstream is using This exactly the patch we sent to the maintainmers, except they handle oversized packets by a 'return' rather thsn truncating. Could you please go ahead with the build and apply the patches to the other versions too?
Created attachment 26239 [details] patchinfo-file box ...
Created attachment 26240 [details] patchinfo for maintained ...
Ok, so everything should be in place. Could you please tell suse-dist? I thought SWAMP would do this automatically but anyway.
is public now.
Created attachment 26347 [details] New patch fixing same bugs which shoed also up in proxyd.c ...
Could you please submit new sources? We got reports via vendor-sec that the same bug was contained in proxyd.c. I attached new fix, and also sent it to vendor-sec to see what they say. Patchinfos are the same except you need to add a newline or a space somewhere for the md5 sum. Should I reject the patchinfo?
Markus just told me about this additional patch (I didn't see it, as I was not in CC)
Okay, submitted 9.2 and SLES9 versions: /work/src/done/9.2/cyrus-imapd /work/src/done/SLES9/cyrus-imapd the older versions do not have support for IMAPMAGICPLUS and/or do not have imap/global.c Please also not forget to add this documentation to the SLES9 version of the cyrus-imapd update: ----------------------------------------------------------------------------- Fixes for the sieve vacation functionality. Existing sieve scripts must be recompiled when installing this update, e.g. using the tool masssievec. These commands can be used to do that: find /var/lib/sieve -name "*.bc" | xargs rm -v su - cyrus -c '/usr/share/doc/packages/cyrus-imapd/tools/masssievec \ /usr/lib/cyrus/bin/sievec' It is recommended to make a backup of /var/lib/sieve, first.
Ok, so everything should be in place, yet I dont see it on patch-status. Could you please inform suse-dist? (I am submitting patchinfo files right now). For the non-security docs, this is something the documenters need to know.
Patchinfos submitted. Ah, I see the SLES cyrus on patchstatus, but I think you need to re-submit the 8.1, 8.2 and so on since it has been rejected because of the missing fix for the 9.2. Patchinfo is there, you can also use the same fix. Sorry for the mess.
resubmit the package without changes to /work/src/done???
please leave everything as-is, all is fine , patchinfos are complete and in QA already...
packages approved. advisory will be released tomorrow.
CVE-2004-1013: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)