Информационная безопасность
[RU] switch to English

Дополнительная информация

  Доступ к файловой системе в imap-uw (privelege escalation)

From:3APA3A <3APA3A_(at)_security.nnov.ru>
Date:1 июня 2002 г.
Subject:SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw

Imap-uw allows user to access any file he could access locally. It's not
a bug it's insecurity by design. According to vendor's web FAQ (it's not
pointed in FAQ inside program distribution):


5.1  I  see  that the IMAP server allows access to arbitary files on the
system, including /etc/passwd! How do I disable this?

You  should  not  worry about this if your IMAP users are allowed shell
access.  The  IMAP  server does not permit any access that the user can
not have via the shell. If, and only if, you deny your IMAP users shell
access,  you may want to consider one of three choices. Note that these
choices  reduce  IMAP  functionality,  and  may  have  undesirable side
effects.   Each   of   these   choices   involves   an   edit  to  file

The  first  (and recommended) choice is to set restrictBox as described
in  file  CONFIG.  This  will disable access to the filesystem root, to
other users' home directory, and to superior directory.

The second (and strongly NOT recommended) choice is to set closedBox as
described  in file CONFIG. This puts each IMAP session into a so-called
"chroot  jail", and thus setting this option is extremely dangerous; it
can  make  your  system  much  less  secure and open to root compromise
attacks.  So  do  not use this option unless you are absolutely certain
that you understand all the issues of a "chroot jail."

The  third  choice  is  to  rewrite  routine mailboxfile() to implement
whatever   mapping   from   mailbox   name   to  filesystem  name  (and
restrictions)  that  you  wish.  This  is the most general choice. As a
guide,  you  can  see  at  the  start of routine mailboxfile() what the
restrictBox choice does.


It  should  be  noted  that  neither  restrictBox  nor closedBox is not
described  at file CONFIG at all (as for imap-2001a)... And even if you
smart  enough to check the FAQ on the web site after you red the FAQ in
source  distribution restrictBox can be bypassed in case of any Windows
builds  (for  example  http://sourceforge.net/projects/uw-imap-cygwin/)
because '\\' symbol is never checked. Hope nobody uses UW under NT or a
version from OS ports distribution in production environment because as
far  as I can see port maintainers do not change the value of closedBox

Quite  dangerous  default  feature  anyway  because  some providers use
imap-uw to allow imap access for customers.

I  don't  know  any  utilities  to  access filesystem via imap-uw, so I
decided      to      write     my     own.     You     can     download

it includes:

 imapget.c - to retrieve file via imap-uw, usage example:
   imapget imap.host.name /etc/passwd > passwd
   it should work for both text and binary files.

 imapls.c - to get a file listing, usage example:
   imapls imaphostname /tmp/\* > ls-tmp

 imaprm.c, imapmkdir.c - hope you catch the idea.

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород