Cyrus IMAPD POP3D 远程栈溢出漏洞

CNNVD-ID编号 CNNVD-200605-385
CVE编号 CVE-2006-2502
发布时间 2006-05-22
更新时间 2006-05-22
漏洞类型 缓冲区溢出
漏洞来源 kcope kingcope@gmx.net
危险等级 中危
威胁类型 远程
厂 商 cyrus

漏洞介绍

Cyrus IMAP Server是一款免费开放源代码Interactive Mail Access Protocol (IMAP)协议实现,可使用在Unix和Linux操作系统下。

Cyrus-imapd的pop3d中存在远程溢出漏洞。如果在imapd.conf中Cyrus-imapd将popsubfolders设置为1的话,则攻击者就可以通过向远程pop3d发送超长的USER命令参数触发栈溢出。

在cyrus-imapd-2.3.2/imap/pop3d.c中,每次向pop3 server提供USER命令时都会调用pop3d_canon_user,ulen=0。在char userbuf[MAX_MAILBOX_NAME+1], *p;

...

if (!ulen) ulen = strlen(user);

...

memcpy(userbuf, user, ulen);

userbuf[ulen] = \'\'\0\'\';

这个例程中没有执行长度检查,如果user大于MAX_MAILBOX_NAME+1的话,memcpy就会溢出userbuf缓冲区。

--- snip ---static int popd_canon_user(sasl_conn_t *conn, void *context,

const char *user, unsigned ulen,

unsigned flags, const char *user_realm,

char *out, unsigned out_max, unsigned *out_ulen)

{

char userbuf[MAX_MAILBOX_NAME+1], *p;

size_t n;

int r;

if (!ulen) ulen = strlen(user);

if (config_getswitch(IMAPOPT_POPSUBFOLDERS)) {

/* make a working copy of the auth[z]id */

memcpy(userbuf, user, ulen);

userbuf[ulen] = \'\'\0\'\';

user = userbuf;

/* See if we\'\'re trying to access a subfolder */

if ((p = strchr(userbuf, \'\'+\'\'))) {

n = config_virtdomains ? strcspn(p, \"@\") : strlen(p);

if (flags & SASL_CU_AUTHZID) {

/* make a copy of the subfolder */

if (popd_subfolder) free(popd_subfolder);

popd_subfolder = xstrndup(p, n);

}

/* strip the subfolder from the auth[z]id */

memmove(p, p+n, strlen(p+n)+1);

ulen -= n;

}

}

r = mysasl_canon_user(conn, context, user, ulen, flags, user_realm,

out, out_max, out_ulen);

if (!r & & popd_subfolder & & flags == SASL_CU_AUTHZID) {

/* If we\'\'re only doing the authzid, put back the subfolder

in case its used in the challenge/response calculation */

n = strlen(popd_subfolder);

if (*out_ulen + n > out_max) {

sasl_seterror(conn, 0, \"buffer overflow while canonicalizing\");

r = SASL_BUFOVER;

}

else {

p = (config_virtdomains & & (p = strchr(out, \'\'@\'\'))) ?

p : out + *out_ulen;

memmove(p+n, p, strlen(p)+1);

memcpy(p, popd_subfolder, n);

*out_ulen += n;

}

}

return r;

}

--- snip ---

漏洞补丁

目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://asg.web.cmu.edu/cyrus/

参考网址

受影响实体

信息来源