University of Washington IMAP Toolkit, University of Washington Alpine, and Panda IMAP tmail and dmail program buffer overflow
| uwimapd-multiple-bo (46281) |  High Risk |
Description:
University of Washington IMAP Toolkit, University of Washington Alpine, and Panda IMAP are vulnerable to multiple stack-based buffer overflows, caused by improper bounds checking by the tmail and dmail programs. An attacker could exploit this locally using a long folder extension argument on the command line to the tmail or dmail program to gain privileges, or exploit this remotely by sending e-mail to a destination mailbox name composed of a username and "+" character followed by a long string to overflow a buffer and execute arbitrary code on the system.
*CVSS:
| Base Score: | 6.8 |
| Access Vector: | Network |
| Access Complexity: | Medium |
| Authentication: | None |
| Confidentiality Impact: | Partial |
| Integrity Impact: | Partial |
| Availability Impact: | Partial |
| Temporal Score: | 5 |
| Exploitability: | Unproven |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Gain Privileges
Remedy:
Upgrade to the latest version of UW-imapd (2007d or later), available from the IMAP FTP site. See References.
References:
- IMAP FTP site: Index of ftp://ftp.cac.washington.edu/imap/.
- Imap-uw Mailing List, Fri Oct 31 09:50:43 PDT 2008: Security bug in tmail and dmail.
- Imap-uw Mailing List, Fri Oct 31 10:43:03 PDT 2008: Security bug in tmail and dmail.
- ASA-2009-065: imap security update (RHSA-2009-0275)
- BID-32072: University of Washington IMAP 'tmail' and 'dmail' Local Buffer Overflow Vulnerabilities
- CVE-2008-5005: Multiple stack-based buffer overflows in (1) University of Washington IMAP Toolkit 2002 through 2007c, (2) University of Washington Alpine 2.00 and earlier, and (3) Panda IMAP allow (a) local users to gain privileges by specifying a long folder extension argument on the command line to the tmail or dmail program; and (b) remote attackers to execute arbitrary code by sending e-mail to a destination mailbox name composed of a username and '+' character followed by a long string, processed by the tmail or possibly dmail program.
- DSA-1685: uw-imap -- buffer overflows
- MDVSA-2009:064: imap
- MDVSA-2009:146: imap
- MDVSA-2009:146-1: imap
- RHSA-2009-0275: Moderate: imap security update
- SA32483: UW-imapd "tmail" and "dmail" Buffer Overflow Vulnerabilities
- SECTRACK ID: 1021131: UW-IMAP tmail/dmail Folder Name Buffer Overflow Lets Local Users Gain Elevated Privileges
Platforms Affected:
- Debian Debian Linux 4.0
- MandrakeSoft Mandrake Linux 2008.0 X86_64
- MandrakeSoft Mandrake Linux 2008.0
- MandrakeSoft Mandrake Linux 2008.1
- MandrakeSoft Mandrake Linux 2008.1 X86_64
- MandrakeSoft Mandrake Linux Corporate Server 3.0
- MandrakeSoft Mandrake Linux Corporate Server 3.0 X86_64
- MandrakeSoft Mandrake Linux Corporate Server 4.0 X86_64
- MandrakeSoft Mandrake Linux Corporate Server 4.0
- Mandriva Linux 2009.0
- Mandriva Linux 2009.0 X86_64
- Panda Programming IMAP
- RedHat Enterprise Linux 3 AS
- RedHat Enterprise Linux 3 WS
- RedHat Enterprise Linux 3 ES
- RedHat Enterprise Linux 3 Desktop
- Turbolinux Turbolinux 10 Server
- Turbolinux Turbolinux 10 Server x64 Ed
- Turbolinux Turbolinux 11 Server
- Turbolinux Turbolinux 11 Server x64 Ed
- Turbolinux Turbolinux Appliance Server 2.0
- University Of Washington Alpine 0.80
- University Of Washington Alpine 0.81
- University Of Washington Alpine 0.82
- University Of Washington Alpine 0.83
- University Of Washington Alpine 0.98
- University Of Washington Alpine 0.99
- University Of Washington Alpine 0.999
- University Of Washington Alpine 0.9999
- University Of Washington Alpine 0.99999
- University Of Washington Alpine 0.999999
- University Of Washington Alpine 1.00
- University Of Washington Alpine 1.10
- University Of Washington Alpine 2.00
- University Of Washington IMAP Toolkit 2002
- University Of Washington IMAP Toolkit 2003
- University Of Washington IMAP Toolkit 2004
- University Of Washington IMAP Toolkit 2005
- University Of Washington IMAP Toolkit 2006
- University Of Washington IMAP Toolkit 2007
- University Of Washington IMAP Toolkit 2007c
- University of Washington UW IMAP
Reported:
Oct 31, 2008
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.