________________________________________________________________________ n.runs GmbH http://www.nruns.com/ security@nruns.com n.runs-SA-2003.001 15-Dec-2003 ________________________________________________________________________ Vendor: Andrew Systems Group, Carnegie Mellon (cmu.edu) Product: Cyrus IMSP Vulnerability: Buffer overflow in address book handling Affected Releases: 1.4, 1.5a6, 1.6a3, 1.7 NOT Affected Releases: - Severty: HIGH CERT tracking: VU#933878 CVE: n/a ________________________________________________________________________ Vendor communication: 08.12.2003 Initial notification 08.12.2003 Rob Siemborski answers 08.12.2003 Rob Siemborski sends a patch 09.12.2003 n.runs tests the patch and finds it to be correct 09.12.2003 CERT VU# assigned 12.12.2003 Rob Siemborski sends the new versions 15.12.2003 public release ________________________________________________________________________ Overview: Cyrus IMSP is a implementation of the IMSP protocol [2]. "The Internet Message Support Protocol (IMSP) is designed to support the provision of mail in a medium to large scale operation. It is intended to be used as a companion to the IMAP4 protocol [IMAP4], providing services which are either outside the scope of mail access or which pertain to environments which must run more than one IMAP4 server in the same mail domain. The services that IMSP provides are extended mailbox management, configuration options, and address books." There is a remotely exploitable buffer overflow in the Cyrus IMSPd. The vulnerability can be triggered before authentication. The IMSP daemon is required to run as root. Description: In the function abook_dbname, a sprintf() call takes place. The function takes two char pointers (dbname and name), which are later used in the sprintf() call: sprintf(dbname, abookdb, ownerlen, name, name); abookdb is defined as static char abookdb[] = "user/%.*s/abook.%s"; Several functions in the code use abook_dbname() and supply a local char buffer of 256 bytes as first argument to the function. Since the second argument "name" is controlled by the user in serveral protocol messages [2], a remotely exploitable buffer overflow is created. Example: n.runs has a prove of concept exploit for the issue discussed. Solution: Andrew Systems Group has released new versions. Older versions are no longer supported. ftp://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.6a4.tar.gz ftp://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.7a.tar.gz and http://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.6a4.tar.gz http://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.7a.tar.gz ________________________________________________________________________ Credit: Bug found by Felix Lindner and Michael Guenther of n.runs GmbH. Additional credits to Steffen Weinreich for support during research. Greets to Halvar, Johnny Cyberpunk, Nicolas Fischbach, all@EEye ________________________________________________________________________ References: [1] http://asg.web.cmu.edu/cyrus/download/ [2] http://asg.web.cmu.edu/cyrus/rfc/imsp.html ________________________________________________________________________ The information provided is released by n.runs "as is" without warranty of any kind. n.runs disclaims all warranties, either express or implied, expect for the warranties of merchantability. In no event shall n.runs be liable for any damages whatsever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Distribution or reproduction of the information is provided that the advisory is not modified in any way. Copyright 2003 n.runs. All rights reserved. ________________________________________________________________________
