SecuriTeam™ - Cyrus IMSP Remote Root Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam™
Beyond Security®

SecuriTeam™ Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam™ in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

Cyrus IMSP is a implementation of the IMSP protocol. The Internet Message Support Protocol (IMSP) is "designed to support the provision of mail in a medium to large scale operation. It is intended to be used as a companion to the IMAP4 protocol [IMAP4], providing services which are either outside the scope of mail access or which pertain to environments which must run more than one IMAP4 server in the same mail domain. The services that IMSP provides are extended mailbox management, configuration options, and address books".

There is a remotely exploitable buffer overflow in the Cyrus IMSPd. The vulnerability can be triggered before authentication. The IMSP daemon is required to run as root.

Credit:
The information has been provided by Felix Lindner.

Audit your web server for security holes - see what the hackers see.
Sign up for a scan today - risk free!

Vulnerable systems:
* IMSP versions 1.4, 1.5a6, 1.6a3, and 1.7

Immune systems:
* IMSP versions 1.6a4, and 1.7a

In the function abook_dbname, a sprintf() call takes place. The function takes two char pointers (dbname and name), which are later used in the sprintf() call:
sprintf(dbname, abookdb, ownerlen, name, name);

abookdb is defined as
static char abookdb[] = "user/%.*s/abook.%s";

Several functions in the code use abook_dbname() and supply a local char buffer of 256 bytes as first argument to the function. Since the second argument "name" is controlled by the user in several protocol messages, a remotely exploitable buffer overflow is created.

Solution:
Andrew Systems Group has released new versions. Older versions are no longer supported.
ftp://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.6a4.tar.gz
ftp://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.7a.tar.gz

And
http://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.6a4.tar.gz
http://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.7a.tar.gz

Vendor communication:
08.12.2003 Initial notification
08.12.2003 Rob Siemborski answers
08.12.2003 Rob Siemborski sends a patch
09.12.2003 n.runs tests the patch and finds it to be correct
09.12.2003 CERT VU# assigned
12.12.2003 Rob Siemborski sends the new versions
15.12.2003 public release

	Oracle Database Local Untrusted Library Path Vulnerability
	Novell eDirectory LDAP Search Request Heap Corruption Vulnerability
	Libpoppler Uninitialized Pointer (Technical Details, PoC)
	libpoppler Uninitialized Pointer
	Motion "read_client()" HTTP Request Buffer Overflow
	Multiple Vendor X Server Vulnerabilities (SHM, RSE, REG, AllocateGlyph)
	Collection of Vulnerabilities in Fully Patched Vim
	VMware Multiple Products vmware-authd Untrusted Library Loading Vulnerability
	NASA BigView Stack Buffer Overflow
	Tomcat Host-Manager XSS Vulnerability
	Rsyncrypto may be Affected from Debian OpenSSL Reduced Entropy Problem
	Mantis Bug Tracker Multiple Vulnerabilities (XSS, CSRF, Code Execution)
	Multiple Vendor rdesktop Vulnerabilities
	PHP GENERATE_SEED() Weak Random Number Seed Vulnerability
	PHP Multibyte Shell Command Escaping Bypass Vulnerability