Title: Univ. Of Washington imapd Buffer Overflow Vulnerabilities
Severity: HIGH
Description:
A buffer overflow exists in imapd. The vulnerability exists in the list command. By supplying a long, well-crafted string as the second argument to the list command, it becomes possible to execute code on the machine.
Executing the list command requires an account on the machine. In addition, privileges have been dropped in imapd prior to the location of the buffer overrun. As such, this vulnerability would only be useful in a scenario where a user has an account, but no shell level access. This would allow them to gain shell access.
Overflows have also been found in the COPY, LSUB, RENAME and FIND command. All of these, like the LIST command, require a login on the machine.
** UPDATE: Exploit code has been released which exploits the vulnerability in the LSUB command to execute arbitrary instructions. The code was designed to exploit this issue on Red Hat systems (specifically versions of IMAP4rev1 prior to v10.234 on Red Hat 7.0).
Affected Products:
- University of Washington imapd 10.234.0
- University of Washington imapd 12.264.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
