German | English
n.runs AG - Company
 
 
n.runs AG
Services by n.runs
IT INFRASTRUCTURE
IT SECURITY
IT BUSINESS CONSULTING
IT SOFTWARE

n.runs AG
Nassauer Straße 60
D-61440 Oberursel
Phone: +49 (0) 6171/699-0
Fax: +49 (0) 6171/699-199
E-mail: contact@nruns.com
Newsletter signup
Imprint

n.runs-SA-2003.001 Cyrus IMSP - Buffer overflow in address book handling

n.runs GmbH
http://www.nruns.com
n.runs-SA-2003.001

security(at)nruns.com
28-Oct-2003

* * *

Vendor: Andrew Systems Group, Carnegie Mellon University
Product: Cyrus IMSP
Vulnerability: Buffer overflow in address book handling
Risk: HIGH

Vendor communication:

Overview:
Cyrus IMSP is a implementation of the IMSP protocol [2].

"The Internet Message Support Protocol (IMSP) is designed to support the provision of mail in a medium to large scale operation. It is intended to be used as a companion to the IMAP4 protocol [IMAP4], providing services which are either outside the scope of mail access or which pertain to environments which must run more than one IMAP4 server in the same mail domain. The services that IMSP provides are extended mailbox management, configuration options, and address books."

There is a remotely exploitable buffer overflow in the Cyrus IMSPd. The vulnerability can be triggered before authentication. The IMSP daemon is required to run as root.

Description:
In the function abook_dbname, a sprintf() call takes place. The function takes two char pointers (dbname and name), which are later used in the sprintf() call:

  sprintf(dbname, abookdb, ownerlen, name, name);

abookdb is defined as

  static char abookdb[] = "user/%.*s/abook.%s";

Several functions in the code use abook_dbname() and supply a local char buffer of 256 bytes as first argument to the function. Since the second argument "name" is controlled by the user in serveral protocol messages [2], a remotely exploitable buffer overflow is created.

Example:
  nruns@testbox:~$ ./CyRootIMSP.pl localhost 406
  [...]
  Found suitable return address 0xBFFF95D3
  +++ Exploitation successful: uid=0(root) gid=0(root)
  groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)


Solution:
The updated software versions are available from http://cyrusimap.web.cmu.edu.

Credit:
Bug found by Felix Lindner and Michael Guenther of n.runs GmbH.
Additional credits to Steffen Weinreich for support during research.

Greets to Halvar, Johnny Cyberpunk, all@EEye

References:
[1] http://asg.web.cmu.edu/cyrus/download/
[2] http://asg.web.cmu.edu/cyrus/rfc/imsp.html


Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security@nruns.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages.

Copyright 2003 n.runs GmbH. All rights reserved. Terms of apply.
Penetration Test
 

27 Oct 2008:
Advisory: Eaton MGE OPS Network Shutdown Moduleauthentication bypass and code execution

* * *

21 Oct 2008:
Advisory: Internet Explorer HTML Object Memory Corruption

* * *

30 September 2008:
Corporate News
Figures from the first half of 2008 confirm expansion
+++ Revenues increase by around 30 percent to EUR 3.32m EBITDA improved
+++ by EUR 0.27m to EUR -0.35m Profit impacted by software investments,
+++ consulting profitable Outlook 2008


* * *

17 Sep 2008:
Corporate News
Microsoft selects n.runs as a member of the new program Microsoft Secure Development Lifecycle Pro Network
+++ n.runs AG exclusive member of Microsoft SDL Pro Network
+++ Only member of the MS SDL Pro Network on the European mainland
+++ Medium-term contribution to revenues in excess of 10 percent planned
* * *

10 Sep 2008:
Advisory alert:
Cross-Site Scripting Filter Evasion in various frameworks

* * *

10 Sep 2008:
Advisory alert: 
Horde Framework Cross-Site Scripting in filename MIME attachments

* * *

26 Aug 2008:
Press-release
IT Security for Governments and Military Organizations:
n.runs and Thales Now Co-operating


* * *

25 Aug 2008:
Press-release
Growing threat:
serious attacks on E-Mail-/AV systems constantly increasing n.runs introduces aps-AV – Protective cover for antivirus software


* * *

01 Aug 2008:
Advisory alert:  
MacOS X - CoreServices Framework's CarbonCore FrameworkArbitrary Code Execution