File: 1755.txt

package info (click to toggle)
snort 2.9.7.0-5
  • links: PTS, VCS
  • area: main
  • in suites: buster, sid, stretch
  • size: 55,000 kB
  • ctags: 38,464
  • sloc: ansic: 266,667; sh: 12,508; makefile: 2,908; yacc: 497; perl: 496; lex: 261; sed: 14
file content (60 lines) | stat: -rw-r--r-- 2,017 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Rule:

--
Sid:
1755

--
Summary:
This event is generated when a remote authenticated user sends a malformed request for partial mailbox attributes to an internal IMAP server, indicating an attempt to exploit a buffer overflow vulnerability in some versions of IMAP.

--
Impact:
Remote execution of arbitrary code, possible denial of service. The attacker must have a valid IMAP account to attempt this exploit.

--
Detailed Information:
Versions of University of Washington imapd that are compiled with RFC 1730 support contain a vulnerability where an authenticated user can send a malformed request for partial mailbox attributes to the IMAP server, causing a buffer overflow condition. The attacker can then run arbitrary code on the server or crash the server completely.    

--
Affected Systems:
Any operating system running University of Washington imapd compiled with RFC 1730 support, which includes the following versions of University of Washington imapd:
2000.0
2000.0a
2000.0b
2000.0c
2001.0
2001.0a

--
Attack Scenarios:
An attacker with a valid user account sends a malformed request for partial mailbox attributes, causing a buffer overflow condition. The attacker can then execute arbitrary code on the server or can crash the mail server.

--
Ease of Attack:
Simple. Exploits exist, but the attacker must have a valid account on the IMAP server.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Upgrade University of Washington imapd to 2002.0 or higher, or apply the patch for your current version of UW IMAP appropriate to your operating system. The University of Washington has provided patches that address this vulnerability, and affected operating system vendors have distributed patches for their specific implementations of UW IMAP.

--
Contributors:
Original rule written by Brian Caswell <bmc@sourcefire.com>
Sourcefire Research Team
Sourcefire Technical Publications Team
Jen Harvey <jennifer.harvey@sourcefire.com>

--
Additional References:


--