Vulnerabilities > CVE-2004-1035 - Denial-Of-Service vulnerability in Imap Proxy Imap Proxy 1.2.2
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
PARTIAL Summary
Multiple integer signedness errors in (1) imapcommon.c, (2) main.c, (3) request.c, and (4) select.c for up-imapproxy IMAP proxy 1.2.2 allow remote attackers to cause a denial of service (server crash) and possibly leak sensitive information via certain literal values that are not properly handled when using the IMAP_Line_Read function.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family Denial of Service NASL id IMAPPROXY_LITERAL_DOS.NASL description The remote host is running at least one instance of up-imapproxy that does not properly handle IMAP literals. This flaw allows a remote attacker to crash the proxy, killing existing connections as well as preventing new ones, by using literals at unexpected times. last seen 2020-06-01 modified 2020-06-02 plugin id 15853 published 2004-11-30 reporter This script is Copyright (C) 2004-2018 George A. Theall source https://www.tenable.com/plugins/nessus/15853 title up-imapproxy IMAP Proxy IMAP_Line_Read() Function Literal Size DoS code # # This script was written by George A. Theall, <[email protected]>. # # See the Nessus Scripts License for details. # # Changes by Tenable: # - Revised plugin title (6/26/09) include("compat.inc"); if (description) { script_id(15853); script_version("1.15"); script_cve_id("CVE-2004-1035"); script_bugtraq_id(11630); script_name(english:"up-imapproxy IMAP Proxy IMAP_Line_Read() Function Literal Size DoS"); script_set_attribute(attribute:"synopsis", value: "The remote IMAP server is affected by a denial of service vulnerability." ); script_set_attribute(attribute:"description", value: "The remote host is running at least one instance of up-imapproxy that does not properly handle IMAP literals. This flaw allows a remote attacker to crash the proxy, killing existing connections as well as preventing new ones, by using literals at unexpected times." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Nov/105" ); script_set_attribute(attribute:"solution", value: "Upgrade to up-imapproxy 1.2.3rc2 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/11/30"); script_set_attribute(attribute:"vuln_publication_date", value: "2004/11/07"); script_cvs_date("Date: 2018/11/15 20:50:21"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Checks for Literal DoS Vulnerability in up-imapproxy"); script_category(ACT_DENIAL); script_copyright(english:"This script is Copyright (C) 2004-2018 George A. Theall"); script_family(english:"Denial of Service"); script_dependencie("find_service1.nasl", "global_settings.nasl"); script_require_ports("Services/imap", 143); script_exclude_keys("imap/false_imap"); exit(0); } include("global_settings.inc"); port = get_kb_item("Services/imap"); if (!port) port = 143; debug_print("checking for Literal DoS Vulnerability in up-imapproxy on port ", port, "."); if (!get_port_state(port)) exit(0); # nb: skip it if traffic is encrypted since uw-imapproxy only # supports TLS when acting as a client. encaps = get_port_transport(encaps); if (encaps > 1) exit(0); # Establish a connection. tag = 0; soc = open_sock_tcp(port); if (!soc) exit(0); # Read banner. s = recv_line(socket:soc, length:1024); if (!strlen(s)) { close(soc); exit(0); } s = chomp(s); debug_print("S: '", s, "'."); # Try to crash the service by sending an invalid command with a literal. ++tag; c = string("a", string(tag), " nessus is testing {1}"); debug_print("C: '", c, "'."); send(socket:soc, data:string(c, "\r\n")); while (s = recv_line(socket:soc, length:1024)) { s = chomp(s); debug_print("S: '", s, "'."); m = eregmatch(pattern:string("^a", string(tag), " (OK|BAD|NO)"), string:s, icase:TRUE); if (!isnull(m)) { resp = m[1]; break; } resp=''; } if (resp && resp =~ "BAD") { c = "up-imapproxy"; debug_print("C: '", c, "'."); send(socket:soc, data:string(c, "\r\n")); while (s = recv_line(socket:soc, length:1024)) { s = chomp(s); debug_print("S: '", s, "'."); # nb: the pattern changes since an unproxied service will echo a line # like "up-imapproxy BAD Missing command". m = eregmatch(pattern:"^[^ ]+ (OK|BAD|NO)", string:s, icase:TRUE); if (!isnull(m)) { resp = m[1]; break; } resp=''; } # If we didn't get a response, make sure the service is truly down. if (!resp) { debug_print("no response received."); close(soc); soc = open_sock_tcp(port); if (!soc) { debug_print("imap service is down."); security_warning(port); exit(0); } else { debug_print("imap service is up -- huh?"); } } } # Logout. ++tag; c = string("a", string(tag), " LOGOUT"); debug_print("C: '", c, "'."); send(socket:soc, data:string(c, "\r\n")); while (s = recv_line(socket:soc, length:1024)) { s = chomp(s); debug_print("S: '", s, "'."); m = eregmatch(pattern:string("^a", string(tag), " (OK|BAD|NO)"), string:s, icase:TRUE); if (!isnull(m)) { resp = m[1]; break; } resp = ""; } close(soc);NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_927743D45CA911D9A9E70001020EED82.NASL description Timo Sirainen reports : There are various bugs in up-imapproxy which can crash it. Since up-imapproxy runs in a single process with each connection handled in a separate thread, any crash kills all the connections and stops listening for new ones. In 64bit systems it might be possible to make it leak data (mails, passwords, ..) from other connections to attacker last seen 2020-06-01 modified 2020-06-02 plugin id 19033 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19033 title FreeBSD : up-imapproxy -- multiple vulnerabilities (927743d4-5ca9-11d9-a9e7-0001020eed82)