<<< Date Index >>>     <<< Thread Index >>>

Cyrus IMSP remote root vulnerability



________________________________________________________________________

n.runs GmbH                                        
http://www.nruns.com/                                 security@xxxxxxxxx
n.runs-SA-2003.001                                           15-Dec-2003
________________________________________________________________________

Vendor:                Andrew Systems Group, Carnegie Mellon (cmu.edu)
Product:               Cyrus IMSP
Vulnerability:         Buffer overflow in address book handling
Affected Releases:     1.4, 1.5a6, 1.6a3, 1.7
NOT Affected Releases: -
Severty:               HIGH
CERT tracking:         VU#933878
CVE:                   n/a
________________________________________________________________________

Vendor communication:
  08.12.2003           Initial notification
  08.12.2003           Rob Siemborski answers
  08.12.2003           Rob Siemborski sends a patch
  09.12.2003           n.runs tests the patch and finds it to be correct
  09.12.2003           CERT VU# assigned
  12.12.2003           Rob Siemborski sends the new versions
  15.12.2003           public release
________________________________________________________________________

Overview:
  Cyrus IMSP is a implementation of the IMSP protocol [2]. 

  "The Internet Message Support Protocol (IMSP) is designed to support
  the provision of mail in a medium to large scale operation. It is
  intended to be used as a companion to the IMAP4 protocol [IMAP4], 
  providing services which are either outside the scope of mail access 
  or which pertain to environments which must run more than one IMAP4
  server in the same mail domain. The services that IMSP provides are 
  extended mailbox management, configuration options, and address
  books."

  There is a remotely exploitable buffer overflow in the Cyrus IMSPd. 
  The vulnerability can be triggered before authentication. The IMSP 
  daemon is required to run as root.

Description:
  In the function abook_dbname, a sprintf() call takes place. The 
  function takes two char pointers (dbname and name), which are later 
  used in the sprintf() call:
  
  sprintf(dbname, abookdb, ownerlen, name, name);

  abookdb is defined as 
  
  static char abookdb[] = "user/%.*s/abook.%s";

  Several functions in the code use abook_dbname() and supply a local 
  char buffer of 256 bytes as first argument to the function. Since the 
  second argument "name" is controlled by the user in serveral protocol 
  messages [2], a remotely exploitable buffer overflow is created.

Example:
  n.runs has a prove of concept exploit for the issue discussed.

Solution:
  Andrew Systems Group has released new versions. Older versions are
  no longer supported.

  ftp://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.6a4.tar.gz
  ftp://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.7a.tar.gz
  and
  http://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.6a4.tar.gz
  http://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imspd-v1.7a.tar.gz
  
________________________________________________________________________

Credit: 
  Bug found by Felix Lindner and Michael Guenther of n.runs GmbH. 
  Additional credits to Steffen Weinreich for support during research.

  Greets to Halvar, Johnny Cyberpunk, Nicolas Fischbach, all@EEye
________________________________________________________________________

References:

  [1] http://asg.web.cmu.edu/cyrus/download/
  [2] http://asg.web.cmu.edu/cyrus/rfc/imsp.html
________________________________________________________________________

The information provided is released by n.runs "as is" without warranty
of any kind. n.runs disclaims all warranties, either express or implied,
expect for the warranties of merchantability. In no event shall n.runs
be
liable for any damages whatsever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
n.runs has been advised of the possibility of such damages.
Distribution or reproduction of the information is provided that the 
advisory is not modified in any way.

Copyright 2003 n.runs. All rights reserved.
________________________________________________________________________