Vulnerabilities > CVE-2004-1067 - Remote Unspecified vulnerability in Cyrus IMAPD

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
carnegie-mellon-university
redhat
ubuntu
critical
nessus

Summary

Off-by-one error in the mysasl_canon_user function in Cyrus IMAP Server 2.2.9 and earlier leads to a buffer overflow, which may allow remote attackers to execute arbitrary code via the username.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-37-1.NASL
    descriptionRecently another buffer overflow has been discovered in the SASL authentication module of the Cyrus IMAP server. An off-by-one comparison error in the mysasl_canon_user() function could lead to a missing termination of an user name string. This vulnerability could allow remote, attacker-supplied machine code to be executed in the context of the affected server process. Since the IMAP server usually runs as unprivileged user
    last seen2020-06-01
    modified2020-06-02
    plugin id20653
    published2006-01-15
    reporterUbuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20653
    titleUbuntu 4.10 : cyrus21-imapd vulnerability (USN-37-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-37-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(20653);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:33:00");
    
      script_cve_id("CVE-2004-1067");
      script_xref(name:"USN", value:"37-1");
    
      script_name(english:"Ubuntu 4.10 : cyrus21-imapd vulnerability (USN-37-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Recently another buffer overflow has been discovered in the SASL
    authentication module of the Cyrus IMAP server. An off-by-one
    comparison error in the mysasl_canon_user() function could lead to a
    missing termination of an user name string.
    
    This vulnerability could allow remote, attacker-supplied machine code
    to be executed in the context of the affected server process. Since
    the IMAP server usually runs as unprivileged user 'cyrus', there is no
    possibility of root privilege escalation.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-admin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-imapd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-murder");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-pop3d");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcyrus-imap-perl21");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/12/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(4\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-admin", pkgver:"2.1.16-6ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-clients", pkgver:"2.1.16-6ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-common", pkgver:"2.1.16-6ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-dev", pkgver:"2.1.16-6ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-doc", pkgver:"2.1.16-6ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-imapd", pkgver:"2.1.16-6ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-murder", pkgver:"2.1.16-6ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-pop3d", pkgver:"2.1.16-6ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"libcyrus-imap-perl21", pkgver:"2.1.16-6ubuntu0.2")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cyrus21-admin / cyrus21-clients / cyrus21-common / cyrus21-dev / etc");
    }
    
  • NASL familyGain a shell remotely
    NASL idCYRUS_IMAP_MULTIPLE_OVERFLOW.NASL
    descriptionAccording to its banner, the remote Cyrus IMAPD server is vulnerable to one pre-authentication buffer overflow, as well as three post- authentication buffer overflows. A remote attacker could exploit these issues to crash the server, or possibly execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id15819
    published2004-11-23
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15819
    titleCyrus IMAP Server < 2.2.10 Multiple Remote Overflows
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2005-003.NASL
    descriptionThe remote host is missing Security Update 2005-003. This security update contains security fixes for the following applications : - AFP Server - Bluetooth Setup Assistant - Core Foundation - Cyrus IMAP - Cyrus SASL - Folder Permissions - Mailman - Safari These programs have multiple vulnerabilities which may allow a remote attacker to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id17587
    published2005-03-21
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17587
    titleMac OS X Multiple Vulnerabilities (Security Update 2005-003)