SecuriTeam™ - Courier-IMAP Remote Format String Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam™
Beyond Security®

SecuriTeam™ Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam™ in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

Courier-IMAP is "an IMAP/POP3 mail server popular on sites utilizing Qmail/Exim/Postfix". Remote exploitation of a format string vulnerability in Double Precision Inc.'s, Courier-IMAP daemon allows attackers to execute arbitrary code.

Credit:
The information has been provided by iDEFENSE.
The original article can be found at: http://www.idefense.com/application/poi/display?id=131&type=vulnerabilities&flashstatus=true

Audit your web server for security holes - see what the hackers see.
Sign up for a scan today - risk free!

Vulnerable Systems:
* Courier-IMAP versions 1.6.0 up to 2.2.1

Immune Systems:
* Courier-IMAP version 3.0.7

The vulnerability specifically exists within the auth_debug() function defined in authlib/debug.c:

void auth_debug( const char *fmt, va_list ap ) {
    char buf[DEBUG_MESSAGE_SIZE];
    int i;
    int len;

    // print into buffer to be able to replace control and other
    // unwanted chars.
    vsnprintf( buf, DEBUG_MESSAGE_SIZE, fmt, ap );
    len = strlen( buf );

    // replace nonprintable chars by dot
    for( i=0 ; i<len ; i++ )
            if( !isprint(buf[i]) )
                    buf[i] = '.';

    // emit it
    fprintf( stderr, buf ); // <- Format String Vulnerability
    fprintf( stderr, "\n" );
}

The 'buf' variable utilized in the fprintf() call is attacker-controlled and can contain format string modifiers allowing an attacker to manipulate the stack and eventually execute arbitrary code.

Analysis:
Successful exploitation does not require authentication thereby allowing any remote attacker to execute arbitrary code under the privileges of the user that the IMAP daemon runs as. The vulnerable function auth_debug() is only called if login debugging is enabled requiring that the 'DEBUG_LOGIN' be set to either '1' or '2' in the imapd configuration file.

Workaround:
Disable the login debugging option of Courier-IMAP. This can be accomplished by setting 'DEBUG_LOGIN' to '0' in the configuration file usually located at /usr/lib/courier-imap/etc/imapd.

Vendor response:
This issue has been resolved in the latest version of Courier IMAP (v3.0.7). As well, the default setting of 'DEBUG_LOGIN' is '0'.

CVE Information:
CAN-2004-0777

Disclosure timeline:
08/10/2004 Initial vendor contact
08/10/2004 iDEFENSE clients notified
08/11/2004 Initial vendor response
08/18/2004 Public disclosure

	Calendarix Basic Two SQL Injection Vulnerabilities
	Multiple Heap Overflows in Xine-Lib
	OpenLDAP BER Decoding Remote DoS Vulnerability
	Vim Netrw FTP User Name and Password Disclosure
	Solaris snoop SMB Multiple Vulnerabilities
	Libxslt Heap-Based Buffer Overflow
	Apache Tomcat XSS Vulnerability
	Apple Mac OS X CoreGraphics PDF Type1 Font Integer Overflow Vulnerability
	Ingres Database for Linux Multiple Vulnerabilities
	SAP MaxDB dbmsrv Untrusted Execution Path Vulnerability
	Asterisk IAX 'POKE' Resource Exhaustion
	EMC Centera Universal Access SQL Injection
	Oracle Database Local Untrusted Library Path Vulnerability (Technical Details)
	Oracle Database Local Untrusted Library Path Vulnerability
	Novell eDirectory LDAP Search Request Heap Corruption Vulnerability