-----Original Message----- From: Chris Evans [SMTP:[EMAIL PROTECTED]] Sent: Wednesday, May 26, 1999 3:37 PM To: [EMAIL PROTECTED] Subject: Remote vulnerability in pop2d Hi Firstly, sorry if any details are hazy - this is from memory (it's two months since I last looked at this). This bug concerns the pop-2 daemon, which is a part of the Washington University imap package. I've been waiting for a CERT advisory, but one doesn't seem to be forthcoming. Two and a half months is a long time. Also, the problem has been fixed for a long time. I'm posting because a) A fixed full release is available, so people should know about it b) The flaw is fairly basic and easy to spot, so active exploitation could well be happening Quick details ============= Compromise possible: remote users can get a shell as user "nobody" If: runing pop-2d v4.4 or earlier Fixed version: imap-4.5, available now. Not vulnerable ============== RedHat-6.0 isn't vulnerable because imap-4.5 was shipped. Vulnerable ========== Anyone who shipped the pop-2 component of imap-4.4 or earlier, including earlier RedHat releases Details of flaw =============== pop-2 and pop-3 support the concept of an "anonymous proxy" whereby remote users can connect and open an imap mailbox on _any server they have a valid account on_. An attacker connects to the vulnerable pop-2 port and connects it to an imap server under their control. Once logged on, issuing a "FOLD" command with a long arg will cause an overflow of a stack based buffer. The arg to FOLD must be somewhere around 1000 bytes - not much bigger, not much smaller. Look at the source. Additional ========== I think the concept of "anonymous proxy" is just fundamentally insecure. It opens up a large code path for remote usrs to explore, i.e. the protocol parsing of imap, etc. The author of imap very responsibly includes a compile time flag to disable this in 4.5. Better still, RedHat-6.0 ships with the proxy disabled. Cheers Chris
