Bug 486963 - (CVE-2009-0671) CVE-2009-0671 uw-imap: remote format string vulnerability
CVE-2009-0671 uw-imap: remote format string vulnerability
Status: CLOSED INSUFFICIENT_DATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
http://web.nvd.nist.gov/view/vuln/det...
source=cve,reported=20090222,public=2...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-23 08:53 EST by Tomas Hoger
Modified: 2009-02-25 04:25 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-25 04:25:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2009-02-23 08:53:11 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0671 to the following vulnerability:

Format string vulnerability in the University of Washington (UW)
c-client library, as used by the UW IMAP toolkit imap-2007d and other
applications, allows remote attackers to execute arbitrary code via
format string specifiers in the initial request to the IMAP port
(143/tcp).

References:
http://packetstormsecurity.org/0902-exploits/uwimap-format.txt
http://www.securityfocus.com/bid/33795
http://xforce.iss.net/xforce/xfdb/48798
Comment 3 Tomas Hoger 2009-02-25 04:25:45 EST
Official statement was published on the Nist's NVD site:
  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0671
  
  Disputed: The Red Hat Security Response Team have been unable to confirm the
  existence of this format string vulnerability in the toolkit, and the sample
  published exploit is not complete or functional.


This issue was investigated by Red Hat and upstream and we were unable to identify a specific flaw based on the published exploit.  Exploit code is broken and does not even compile.  Additionally, it seems to be a merge of two or more previous exploits, format string was copied verbatim from:
http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/exploits/Nightmare.c

While it's unclear whether the exploit was intentionally crippled to hide real flaw, or it was fake from the beginning, we were not able to identify any format string issues that would affect UW imapd as suggested by the published exploit.  Additional sources report that similarly broken fake exploits were published in the past, crediting same author.

CVE id should be marked rejected by Mitre in the near future.

Note You need to log in before you can comment on or make changes to this bug.