Basic search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3021
HistoryJun 01, 2002 - 12:00 a.m.

SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw

2002-06-0100:00:00
vulners.com
26

Imap-uw allows user to access any file he could access locally. It's not
a bug it's insecurity by design. According to vendor's web FAQ (it's not
pointed in FAQ inside program distribution):

-=-=-=-=-=-=-

5.1 I see that the IMAP server allows access to arbitary files on the
system, including /etc/passwd! How do I disable this?

You should not worry about this if your IMAP users are allowed shell
access. The IMAP server does not permit any access that the user can
not have via the shell. If, and only if, you deny your IMAP users shell
access, you may want to consider one of three choices. Note that these
choices reduce IMAP functionality, and may have undesirable side
effects. Each of these choices involves an edit to file
src/osdep/unix/env_unix.c

The first (and recommended) choice is to set restrictBox as described
in file CONFIG. This will disable access to the filesystem root, to
other users' home directory, and to superior directory.

The second (and strongly NOT recommended) choice is to set closedBox as
described in file CONFIG. This puts each IMAP session into a so-called
"chroot jail", and thus setting this option is extremely dangerous; it
can make your system much less secure and open to root compromise
attacks. So do not use this option unless you are absolutely certain
that you understand all the issues of a "chroot jail."

The third choice is to rewrite routine mailboxfile() to implement
whatever mapping from mailbox name to filesystem name (and
restrictions) that you wish. This is the most general choice. As a
guide, you can see at the start of routine mailboxfile() what the
restrictBox choice does.

-=-=-=-=-=-

It should be noted that neither restrictBox nor closedBox is not
described at file CONFIG at all (as for imap-2001a)… And even if you
smart enough to check the FAQ on the web site after you red the FAQ in
source distribution restrictBox can be bypassed in case of any Windows
builds (for example http://sourceforge.net/projects/uw-imap-cygwin/)
because '\\' symbol is never checked. Hope nobody uses UW under NT or a
version from OS ports distribution in production environment because as
far as I can see port maintainers do not change the value of closedBox
:).

Quite dangerous default feature anyway because some providers use
imap-uw to allow imap access for customers.

I don't know any utilities to access filesystem via imap-uw, so I
decided to write my own. You can download
http://www.security.nnov.ru/imaptools.tgz.

it includes:

imapget.c - to retrieve file via imap-uw, usage example:
imapget imap.host.name /etc/passwd > passwd
it should work for both text and binary files.

imapls.c - to get a file listing, usage example:
imapls imaphostname /tmp/\* > ls-tmp

imaprm.c, imapmkdir.c - hope you catch the idea.