Imapd Buffer Overflow

by Russ Rogers - 3/18/00

This week I want to discuss a vulnerability concerning the imapd in some BSD and Linux operating systems. Imapd is a server under * NIX systems that supports the IMAP remote mail access protocol. This protocol is discussed in more depth in RFC-1176.

IMAP stands for Interactive Mail Access Protocol and is used by many businesses as the standard for internal mail. This is in contrast to POP which is used primarily by external mail servers. Imapd in invoked from the internal internet server (inetd) and answers requests for service on the imap port.

This vulnerability concerns a programming error that results in a buffer overflow. Imap supports a command called "AUTHENTICATE". This command specifies the form of authentication that will be used when opening a user's mailbox. When this authentication value is sent to the imapd, it is copied into a buffer that is 1024 characters in size.

But authenticate value is not actually forced to remain less than or =1024 characters in length. It will allow up to 8192 characters to be copied into the 'tmp' buffer, which is only 1024 characters. This is the buffer overflow that we were discussing. This vulnerability can, in some instances, allow a remote user to run commands as 'root' on your system.

The following is a copy of the actual code within the daemon that results in the vulnerability:

 char *mail_auth (char *mechanism,authresponse_t resp,int argc,char
 *argv[])
 {
 char tmp[MAILTMPLEN];
 AUTHENTICATOR *auth;
 /* make upper case copy of mechanism name */
 ucase (strcpy (tmp,mechanism));
 for (auth = mailauthenticators; auth; auth = auth->next)
 if (auth->server && !strcmp (auth->name,tmp))
 return (*auth->server) (resp,argc,argv);
 return NIL; /* no authenticator found */
 }

The versions of imapd up to, and including 10.234 are vulnerable to this attack. You can find information for patching your imapd by visiting http://www.cert.org/advisories/CA-98.09.imapd.html