Bug 486963 (CVE-2009-0671)

Summary: CVE-2009-0671 uw-imap: remote format string vulnerability
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED INSUFFICIENT_DATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: jdennis, jorton, rdieter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0671
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-25 09:25:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2009-02-23 13:53:11 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0671 to the following vulnerability:

Format string vulnerability in the University of Washington (UW)
c-client library, as used by the UW IMAP toolkit imap-2007d and other
applications, allows remote attackers to execute arbitrary code via
format string specifiers in the initial request to the IMAP port
(143/tcp).

References:
http://packetstormsecurity.org/0902-exploits/uwimap-format.txt
http://www.securityfocus.com/bid/33795
http://xforce.iss.net/xforce/xfdb/48798

Comment 3 Tomas Hoger 2009-02-25 09:25:45 UTC
Official statement was published on the Nist's NVD site:
  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0671
  
  Disputed: The Red Hat Security Response Team have been unable to confirm the
  existence of this format string vulnerability in the toolkit, and the sample
  published exploit is not complete or functional.


This issue was investigated by Red Hat and upstream and we were unable to identify a specific flaw based on the published exploit.  Exploit code is broken and does not even compile.  Additionally, it seems to be a merge of two or more previous exploits, format string was copied verbatim from:
http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/exploits/Nightmare.c

While it's unclear whether the exploit was intentionally crippled to hide real flaw, or it was fake from the beginning, we were not able to identify any format string issues that would affect UW imapd as suggested by the published exploit.  Additional sources report that similarly broken fake exploits were published in the past, crediting same author.

CVE id should be marked rejected by Mitre in the near future.