LWN.net: [GSA2001-01] PHP IMAP overflow fix problems

Date:         Mon, 5 Mar 2001 13:15:53 +0000
From: pre <pre@GEEKGANG.CO.UK>
Subject:      [GSA2001-01] PHP IMAP overflow fix problems
To: BUGTRAQ@SECURITYFOCUS.COM

This is a multi-part message in MIME format.
--------------68F37704A906E5C477BFCC4B
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

              geekgang Security Advisory [gsa2001-01]

                        [www.geekgang.co.uk]
                      © Copyright 2001 geekgang

ID:             geekgang GSA2001-01 01 v1.0
Topic:          PHP IMAP overflow fix problems
Status:         Released 5th March, 2001
Author:         pre

[Abstract]
PHP 4.0.4 contains a fix for a buffer overflow in the imap module.
Unfortunately this fix breaks the imap module under some circumstances
due to its interaction with the WU c-client library which PHP uses to
implement the imap protocol.

[Description]
The imap module in PHP contained a buffer overflow in versions prior
to 4.0.4, due to improper use of strcpy(). The fix in 4.0.4 resolves
the strcpy() problem, but causes the imap module to fail under some
circumstances. For example, the IMP WebMail system fails to work
correctly under 4.0.4, so PHP 4.0.3 is extensively deployed for use
with IMP.

A number of WebMail systems are likely to be vulnerable to this issue.

The PHP imap module relies on the WU c-client library to actually
perform imap (and POP3, NNTP and local mailbox) requests.
Additionally, the c-client library uses callbacks into PHP in order to
ascertain the username and password for the requested connection.

The patch in PHP 4.0.4 changed the behavior of the imap module such
that the username and password is no longer stored beyond the initial
imap_open() call. However, the c-client library may still call the
callback function to retrieve the username and password outside of
this call, which then returns garbage data. For example, the
imap_reopen() function triggers this call sequence.

This issue appears to be fixed in the current CVS version of PHP (I
haven't tested it, just looked at the code).

The gsa2001-01.diff patch against php-4.0.4pl1 reverts the imap module
to 4.0.3 behavior, without reintroducing the buffer overflow.

[Time-line]
20010226 Draft v0.1
20010226 Sent to Andi Gutmans (PHP) and  <security@horde.org> (IMP)
for comment
20010305 Release v1.0

[Disclaimer]
THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE,
BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO
ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER
ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR
RELIANCE PLACED ON THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY
BE REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.


--------------68F37704A906E5C477BFCC4B
Content-Type: text/plain; charset=us-ascii; name="gsa2001-01.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="gsa2001-01.diff"

diff -ru php-4.0.4pl1/ext/imap/php_imap.c php-4.0.4pl1-patched/ext/imap/php_imap.c
--- php-4.0.4pl1/ext/imap/php_imap.c	Wed Oct 25 18:43:52 2000
+++ php-4.0.4pl1-patched/ext/imap/php_imap.c	Mon Feb 26 13:17:08 2001
@@ -371,8 +371,8 @@

 static void php_imap_init_globals(zend_imap_globals *imap_globals)
 {
-	imap_globals->imap_user=NIL;
-	imap_globals->imap_password=NIL;
+	imap_globals->imap_user[0] = 0;
+	imap_globals->imap_password[0] = 0;
 	imap_globals->imap_folders=NIL;
 	imap_globals->imap_sfolders=NIL;
 	imap_globals->imap_alertstack=NIL;
@@ -633,8 +633,11 @@
 		}
 	}

-	IMAPG(imap_user)     = estrndup(Z_STRVAL_PP(user), Z_STRLEN_PP(user));
-	IMAPG(imap_password) = estrndup(Z_STRVAL_PP(passwd), Z_STRLEN_PP(passwd));
+	strncpy(IMAPG(imap_user), Z_STRVAL_PP(user), IMAPSTRLEN);
+	strncpy(IMAPG(imap_password), Z_STRVAL_PP(passwd), IMAPSTRLEN);
+
+ 	IMAPG(imap_user)[IMAPSTRLEN-1] = 0;
+	IMAPG(imap_password)[IMAPSTRLEN-1] = 0;
 	
 #ifdef OP_RELOGIN
 	/* AJS: persistent connection handling */
@@ -766,8 +769,6 @@
 	} else {
 #endif
 		imap_stream = mail_open(NIL, Z_STRVAL_PP(mailbox), flags);
-		efree(IMAPG(imap_user));
-		efree(IMAPG(imap_password));

 		if (imap_stream == NIL) {
 			php_error(E_WARNING, "Couldn't open stream %s\n", (*mailbox)->value.str.val);
diff -ru php-4.0.4pl1/ext/imap/php_imap.h php-4.0.4pl1-patched/ext/imap/php_imap.h
--- php-4.0.4pl1/ext/imap/php_imap.h	Tue Oct 17 16:42:05 2000
+++ php-4.0.4pl1-patched/ext/imap/php_imap.h	Mon Feb 26 13:16:11 2001
@@ -13,6 +13,7 @@
 extern zend_module_entry imap_module_entry;
 #define imap_module_ptr &imap_module_entry

+#define IMAPSTRLEN 80

 /* Data types */

@@ -140,8 +141,8 @@
 PHP_FUNCTION(imap_mime_header_decode);

 ZEND_BEGIN_MODULE_GLOBALS(imap)
-	char *imap_user;
-	char *imap_password;
+	char imap_user[IMAPSTRLEN];
+	char imap_password[IMAPSTRLEN];
 	STRINGLIST *imap_folders;
 	STRINGLIST *imap_sfolders;
 	STRINGLIST *imap_alertstack;

--------------68F37704A906E5C477BFCC4B--