Vulnerable Systems:
* GNU Mailutils imap4d version 0.6
The imap4d server allows remote users to retrieve e-mail via the Internet Message Access Protocol, Version 4rev1 as specified in RFC3501. This is a client/server protocol supported by a large number of e-mail clients on multiple platforms.
The vulnerability specifically exists in the handling of SEARCH commands supplied by the remote user. If a search is made containing format specifiers (such as %p or %s), these will be interpreted by the server, and returned to the user.
The vulnerability specifically occurs because the util_finish() function expects a format specifier in the 3rd argument, followed by any arguments to be formatted. Without a specifier, the function interprets the 3rd argument as a format specifier.
Exploitation could allow authenticated remote attackers to execute arbitrary commands on an affected system as the authenticated user. This may allow access to systems not intended to have interactive users, which could allow further compromise. Using format specifiers, it is possible to construct a sequence of commands that cause arbitrary values to be written to arbitrary locations, allowing arbitrary code execution.
Proof of Concept: sh-2.05b$ netcat 192.168.0.1 143
* OK IMAP4rev1
1 LOGIN "user" "password"
1 OK LOGIN Completed
2 SELECT "inbox"
* 23 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1118516013] UID valididy status
* OK [UIDNEXT 24] Predicted next uid
* OK [UNSEEN 1] first unseen messsage
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Deleted \Seen)] Permanent flags
2 OK [READ-WRITE] SELECT Completed
3 SEARCH TOPIC %08x.%08x.%08x.%08x
3 BAD SEARCH Unknown search criterion (near
00000040.6e6b6e55.206e776f.72616573)
4 SEARCH TOPIC %s%s%s
sh-2.05b$
The result of the 'SEARCH TOPIC %08x.%08x.%08x.%08x' command contains values from the error string supplied to the output function. (6e6b6e55 converts to 'Unkn', 206e776f converts to 'own ' and 72616573 converts to 'sear'.) By referencing the values after the fixed string in the error message, which are under control of the attacker, and using the '%n' format specifier, controllable values can be written to arbitrary memory locations, allowing execution of arbitrary code.
The '%s%s%s' format specifier attempts to treat the first 3 values (0x00000040, 0x6e6b6e55 and 0x206e776f) as strings, and causes an access violation error, terminating the server connection, dropping the user back into their shell. The main server is still active, as the server forks a new copy for each connection. This allows multiple exploitation attempts.
