Courier-IMAP is "an IMAP/POP3 mail server popular on sites utilizing Qmail/Exim/Postfix". Remote exploitation of a format string vulnerability in Double Precision Inc.'s, Courier-IMAP daemon allows attackers to execute arbitrary code.
// emit it
fprintf( stderr, buf ); // <- Format String Vulnerability
fprintf( stderr, "\n" );
}
The 'buf' variable utilized in the fprintf() call is attacker-controlled and can contain format string modifiers allowing an attacker to manipulate the stack and eventually execute arbitrary code.
Analysis:
Successful exploitation does not require authentication thereby allowing any remote attacker to execute arbitrary code under the privileges of the user that the IMAP daemon runs as. The vulnerable function auth_debug() is only called if login debugging is enabled requiring that the 'DEBUG_LOGIN' be set to either '1' or '2' in the imapd configuration file.
Workaround:
Disable the login debugging option of Courier-IMAP. This can be accomplished by setting 'DEBUG_LOGIN' to '0' in the configuration file usually located at /usr/lib/courier-imap/etc/imapd.
Vendor response:
This issue has been resolved in the latest version of Courier IMAP (v3.0.7). As well, the default setting of 'DEBUG_LOGIN' is '0'.
