lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 13 Apr 2014 20:00:15 -0400
From: Peter Malone <peter@...ermalone.org>
To: fulldisclosure@...lists.org
Subject: [FD] Two Possible Vulnerabilities in courier-imapd?

Hi there,

Lets take a look at two functions in courier-imap 4.15. The first one is
emptytrash(), and the second one is store_mailbox().


void emptytrash()
{
        char    *dir, *all_settings, *next_folder, *folder, *p;
        unsigned l;

        all_settings=getenv("IMAP_EMPTYTRASH");
               return;

        all_settings=strdup(all_settings);
        if (!all_settings)
                return;

        if (strchr(all_settings, ':') == 0 &&
            strchr(all_settings, ',') == 0)
        {
                l=atoi(all_settings);

                if (l <= 0)
                        l=1;

                maildir_getnew(".", trash, NULL, NULL);
                if ((dir=maildir_folderdir(".", trash)))
                {
                        maildir_purge(dir, l * 24 * 60 * 60);
                        free(dir);
                }
                free(all_settings);
                return;
        }

        for (folder=all_settings; folder && *folder; )
        {
                if (*folder == ',')
                {
                        ++folder;
                        continue;
                }
                next_folder=strchr(folder, ',');
                if (next_folder)
                        *next_folder++=0;

                p=strchr(folder, ':');
                if (!p)
                {
                        folder=next_folder;
                        continue;
                }

                *p++=0;

                l=atoi(p);
                if (l <= 0)     l=1;

                maildir_getnew(".", folder, NULL, NULL);
                if ((dir=maildir_folderdir(".", folder)))
                {
                        maildir_purge(dir, l * 24 * 60 * 60);
                        free(dir);
                }
                folder=next_folder;
        }
        free(all_settings);
}

The interesting parts of this function are
all_settings=getenv("IMAP_EMPTYTRASH");
free(all_settings);

Setting IMAP_EMPTYTRASH to something like "%s:%d%d%d%s%s%s" should cause
the application to crash. 

Moving on to store_mailbox()... this function is too big to paste in
this mail, but if we focus on lines 744 - 757:
        if (fflush(fp) || ferror(fp))
        {
                fprintf(stderr,
                        "ERR: error storing a message, user=%s, errno=%d
\n",
                                getenv("AUTHENTICATED"), errno);

                fclose(fp);
                unlink(tmpname);
                writes(tag);
                writes(nowrite);
                free(tmpname);
                free(newname);
                return (-1);
        }

I believe the above fprintf call is a format string vulnerability.

I'm going to continue to look into this, however in the meantime I
welcome your input regarding these two functions.

Regards,
Peter.


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ