Note: The red stoplight on this page indicates the highest possible severity level for this category of vulnerabilities. The severity level in this instance is indicated by the colored dot next to the link to this tutorial on the previous page.
POP (Post Office Protocol) was designed to support offline mail processing. That is, the client connects to the server to download mail that the server is holding for the client. The mail is deleted from the server and is handled offline (locally) on the client machine.
CVE 1999-0005
CVE 1999-0042
In the implementation of the IMAP protocol on a UNIX system, the server must run with
root privileges so it can access mail folders and undertake some file manipulation
on behalf of the user logging in. After login, these privileges are discarded.
However, in at least the University of Washington's implementation, a vulnerability
exists in the way the login transaction is handled. This vulnerability can be exploited to
gain privileged access on the server. By transmitting carefully crafted text to a system
running a vulnerable version of these servers, remote users may be able to cause a buffer
overflow and execute arbitrary instructions with root privileges.
Vulnerable versions of IMAP include the University of Washington implementations prior to IMAP4rev1 version 10.234, and all beta versions of IMAP4rev1.
2/26/01
5/22/02
CAN 2001-0691
CVE 2002-0379
In addition to the above vulnerability which allows remote
root access, two other buffer overflows exist which
could allow any user with an e-mail account on the system
to gain a user shell.
This could allow an authenticated user who is normally allowed
only to check e-mail to execute arbitrary commands
with the privileges of the user's account.
University of Washington versions of
IMAP4rev1 prior to 2001 are
affected by this vulnerability. Versions 2001 and 2001a are
also vulnerable if compiled with RFC 1730 support, but most
implementations are not.
12/9/02
Cyrus IMAP servers contain a buffer overflow
vulnerability that can be exploited remotely. The login
string provided by the user is stored in a buffer whose
size is the length of the input string plus two bytes. However,
the length of the string is not checked, so it is possible
to provide a long string whose length causes an integer
overflow. Only one byte is then allocated for the string,
and a buffer overflow results. Since this buffer overflow
occurs in the processing of the login string before
authentication, it can be exploited by a remote attacker
without an account on the system.
Cyrus versions prior to 2.0.17 and versions 2.1 through 2.1.10 are affected by this vulnerability.
Until you can take one of the above actions, temporarily disable the IMAP service. On many systems, you will need to edit the /etc/inetd.conf file. However, you should check your vendor's documentation because systems vary in file location and the exact changes required (for example, sending the inetd process a HUP signal or killing and restarting the daemon). If you are not able to temporarily disable the IMAP service, then you should at least limit access to the vulnerable services to machines in your local network. This can be done by installing TCP wrappers, not only for logging but also for access control. Note: Even with access control via TCP wrappers, you are still vulnerable to attacks from hosts that are allowed to connect to the vulnerable IMAP service.
The Cyrus vulnerability was reported to Bugtraq.