Bug 469667 (CVE-2008-5005)

Summary:

CVE-2008-5005 uw-imap: buffer overflow in dmail and tmail

Product:

[Other] Security Response

Reporter:

Tomas Hoger <thoger>

Component:

vulnerability

Assignee:

Red Hat Product Security <security-response-team>

Status:

CLOSED ERRATA

QA Contact:

Severity:

medium

Docs Contact:

Priority:

medium

Version:

unspecified

CC:

jdennis, kreilly, rdieter

Target Milestone:

---

Keywords:

Security

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2009-02-19 18:44:01 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

469415, 469522, 469523, 483255

Bug Blocks:

Attachments:

Description	Flags
dmail 2007b -> 2007d diff	none
tmail 2007b -> 2007d diff	none

Description Tomas Hoger 2008-11-03 12:11:43 UTC

UW-IMAP upstream developers released new upstream version - 2007d - that fixes security issue in dmail and tmail utilities.  Upstream announcement fails to detail those issue further.

References:
http://mailman2.u.washington.edu/pipermail/imap-uw/2008-October/002267.html
http://mailman2.u.washington.edu/pipermail/imap-uw/2008-October/002268.html

Comment 1 Tomas Hoger 2008-11-03 12:15:17 UTC

uw-imap as shipped with Fedora and EPEL was rebased to upstream version 2007d, updates should appear in stable repositories on the next push runs.

uw-imap is also shipped in Red Hat Enterprise Linux 2.1 and 3 (imap package).  Only Red Hat Enterprise Linux 3 offers imap-utils subpackage with tmail and dmail utilities.

Comment 2 Tomas Hoger 2008-11-03 12:16:46 UTC

Created attachment 322296 [details]
dmail 2007b -> 2007d diff

Fixes unbound strcpy to stack-based buffer.

Comment 3 Tomas Hoger 2008-11-03 12:17:50 UTC

Created attachment 322297 [details]
tmail 2007b -> 2007d diff

Similar change to dmail change.

Comment 4 Tomas Hoger 2008-11-03 13:41:00 UTC

Further details from Pawel Salek:

It's a classical stack overflow that can be triggered by passing
+VERYLONGSTRING as the argument to [dt]mail. The program attempts to copy the
string to a temporary buffer without checking its length. This is only root
exploit if the program is suid root. It is a remote exploit if the smtp
delivery program passes the argument to tmail longer than 1024 characters (eg
via $u variable in 
define(`LOCAL_MAILER_ARGS', `tmail $u')dnl

Comment 5 Tomas Hoger 2008-11-03 13:48:54 UTC

RFC 5321 defines that maximum length of the local part of the email address is 64 characters [1], but longer local parts seem to be accepted by MTAs.
  [1] http://tools.ietf.org/html/rfc5321#section-4.5.3.1.1

Sendmail restricts total length of the recipient email address to 255 characters, while buffer being overflow in [dt]mail has capacity for 1024 characters.  That seems to be the restriction mentioned in the upstream announcement that is preventing remote exploitation of the flaw.

However, Postfix is bit more permissive in this regard and it may be possible to trigger this issue if Postfix is configured to use [dt]mail as mailbox_command along with recipient_delimiter being set to +.

Comment 7 Tomas Hoger 2008-11-03 15:42:08 UTC

Bitsec security advisory for this issue:
  http://www.bitsec.com/en/rad/bsa-081103.txt
  http://marc.info/?l=full-disclosure&m=122572590212610&w=4

PoC is expected to be published on 2008-11-10 at:
  http://www.bitsec.com/en/rad/bsa-081103.c

Comment 8 Fedora Update System 2008-11-06 04:08:19 UTC

uw-imap-2007d-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2008-11-06 04:09:57 UTC

uw-imap-2007d-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Tomas Hoger 2008-11-10 14:06:03 UTC

CVE id CVE-2008-5005 was assigned to this issue:

Multiple stack-based buffer overflows in (1) University of Washington
IMAP Toolkit 2002 through 2007c, (2) University of Washington Alpine
2.00 and earlier, and (3) Panda IMAP allow (a) local users to gain
privileges by specifying a long folder extension argument on the
command line to the tmail or dmail program; and (b) remote attackers
to execute arbitrary code by sending e-mail to a destination mailbox
name composed of a username and '+' character followed by a long
string, processed by the tmail or possibly dmail program.

Comment 12 Tomas Hoger 2009-01-30 15:03:09 UTC

tmail and dmail utilities available imap packages as shipped with Red Hat Enterprise Linux 3 are not installed setuid root, so the local privilege escalation is not possible.  This flaw can only be an issue if one of the utilities were used as delivery agents in certain mail setups, as documented in comment #5.  Such setup is default or commonly used one.

Comment 14 Red Hat Product Security 2009-02-19 18:44:01 UTC

This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2009-0275.html

Fedora:
  updated to fixed upstream version uw-imap-2007d