Vulnerabilities > CVE-2005-0546 - Remote Buffer Overflow vulnerability in Cyrus IMAPD
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple buffer overflows in Cyrus IMAPd before 2.2.11 may allow attackers to execute arbitrary code via (1) an off-by-one error in the imapd annotate extension, (2) an off-by-one error in "cached header handling," (3) a stack-based buffer overflow in fetchnews, or (4) a stack-based buffer overflow in imapd.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 5 |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-87-1.NASL description Sean Larsson discovered a buffer overflow in the IMAP last seen 2020-06-01 modified 2020-06-02 plugin id 20712 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20712 title Ubuntu 4.10 : cyrus21-imapd vulnerability (USN-87-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-87-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(20712); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:33:00"); script_cve_id("CVE-2005-0546"); script_xref(name:"USN", value:"87-1"); script_name(english:"Ubuntu 4.10 : cyrus21-imapd vulnerability (USN-87-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Sean Larsson discovered a buffer overflow in the IMAP 'annotate' extension. This possibly allowed an authenticated IMAP client to execute arbitrary code with the privileges of the Cyrus IMAP server. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-admin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-imapd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-murder"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-pop3d"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcyrus-imap-perl21"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10"); script_set_attribute(attribute:"patch_publication_date", value:"2005/02/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(4\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-admin", pkgver:"2.1.16-6ubuntu0.3")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-clients", pkgver:"2.1.16-6ubuntu0.3")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-common", pkgver:"2.1.16-6ubuntu0.3")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-dev", pkgver:"2.1.16-6ubuntu0.3")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-doc", pkgver:"2.1.16-6ubuntu0.3")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-imapd", pkgver:"2.1.16-6ubuntu0.3")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-murder", pkgver:"2.1.16-6ubuntu0.3")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-pop3d", pkgver:"2.1.16-6ubuntu0.3")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"libcyrus-imap-perl21", pkgver:"2.1.16-6ubuntu0.3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cyrus21-admin / cyrus21-clients / cyrus21-common / cyrus21-dev / etc"); }NASL family Gain a shell remotely NASL id CYRUS_IMAP_MULTIPLE_VULNERABILITIES.NASL description According to its banner, the remote Cyrus IMAP server is affected by off-by-one errors in its imapd annotate extension and its cached header handling which can be triggered by an authenticated user, a buffer overflow in fetchnews that can be triggered by a peer news admin, and an unspecified stack-based buffer overflow in imapd. last seen 2020-06-01 modified 2020-06-02 plugin id 17208 published 2005-02-24 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17208 title Cyrus IMAP Server < 2.2.11 Multiple Remote Overflows NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200502-29.NASL description The remote host is affected by the vulnerability described in GLSA-200502-29 (Cyrus IMAP Server: Multiple overflow vulnerabilities) Possible single byte overflows have been found in the imapd annotate extension and mailbox handling code. Furthermore stack-based buffer overflows have been found in fetchnews, the backend and imapd. Impact : An attacker, who could be an authenticated user or an admin of a peering news server, could exploit these vulnerabilities to execute arbitrary code with the rights of the user running the Cyrus IMAP Server. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 17206 published 2005-02-23 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17206 title GLSA-200502-29 : Cyrus IMAP Server: Multiple overflow vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-051.NASL description Several overruns have been fixed in the IMAP annote extension as well as in cached header handling which can be run by an authenticated user. As well, additional bounds checking in fetchnews was improved to avoid exploitation by a peer news admin. last seen 2020-06-01 modified 2020-06-02 plugin id 17280 published 2005-03-06 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17280 title Mandrake Linux Security Advisory : cyrus-imapd (MDKSA-2005:051) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_B2D248AD88F611D9AA180001020EED82.NASL description The Cyrus IMAP Server ChangeLog states : - Fix possible single byte overflow in mailbox handling code. - Fix possible single byte overflows in the imapd annotate extension. - Fix stack-based buffer overflows in fetchnews (exploitable by peer news server), backend (exploitable by admin), and in imapd (exploitable by users though only on platforms where a filename may be larger than a mailbox name). The 2.1.X series are reportedly only affected by the second issue. These issues may lead to execution of arbitrary code with the permissions of the user running the Cyrus IMAP Server. last seen 2020-06-01 modified 2020-06-02 plugin id 19086 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19086 title FreeBSD : cyrus-imapd -- multiple buffer overflow vulnerabilities (b2d248ad-88f6-11d9-aa18-0001020eed82) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-408.NASL description Updated cyrus-imapd packages that fix several buffer overflow security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The cyrus-imapd package contains the core of the Cyrus IMAP server. Several buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0546 to this issue. Users of cyrus-imapd are advised to upgrade to these updated packages, which contain cyrus-imapd version 2.2.12 to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 18280 published 2005-05-17 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18280 title RHEL 4 : cyrus-imapd (RHSA-2005:408) NASL family Fedora Local Security Checks NASL id FEDORA_2005-339.NASL description Several buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0546 to this issue. In addition this version of the rpm contains a collection of other fixes since the last FC3 update (see below changelog). >>>>>>>>>>>><i> IMPORTANT NOTE FOR X86_64 INSTALLATION <<<<<<<<<<<< </I> This rpm also fixes bug #156121 that incorrectly placed some executables /usr/lib64/cyrus-imapd. /usr/lib64 is reserved for 64 bit libraries and this caused problems for existing scripts that expected to find them in a canonical location (/usr/lib/cyrus-imapd) and violated the multilib packaging guidelines. Only references external to the cyrus-imapd package are affected by this, the rpm is self consistent. The most notable example is /usr/lib64/cyrus-impad/deliver which is now /usr/lib/cyrus-imapd/deliver (use of lmtp is encouraged in preference to deliver). This change only affects x86_64 installations. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 62256 published 2012-09-24 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62256 title Fedora Core 3 : cyrus-imapd-2.2.12-1.1.fc3 (2005-339) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-408.NASL description Updated cyrus-imapd packages that fix several buffer overflow security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The cyrus-imapd package contains the core of the Cyrus IMAP server. Several buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0546 to this issue. Users of cyrus-imapd are advised to upgrade to these updated packages, which contain cyrus-imapd version 2.2.12 to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 21935 published 2006-07-05 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21935 title CentOS 4 : cyrus-imapd (CESA-2005:408)
Oval
| accepted | 2013-04-29T04:07:38.898-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | Multiple buffer overflows in Cyrus IMAPd before 2.2.11 may allow attackers to execute arbitrary code via (1) an off-by-one error in the imapd annotate extension, (2) an off-by-one error in "cached header handling," (3) a stack-based buffer overflow in fetchnews, or (4) a stack-based buffer overflow in imapd. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:10674 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | Multiple buffer overflows in Cyrus IMAPd before 2.2.11 may allow attackers to execute arbitrary code via (1) an off-by-one error in the imapd annotate extension, (2) an off-by-one error in "cached header handling," (3) a stack-based buffer overflow in fetchnews, or (4) a stack-based buffer overflow in imapd. | ||||||||||||
| version | 27 |
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&msg=33723
- http://bugs.gentoo.org/show_bug.cgi?id=82404
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000937
- http://marc.info/?l=bugtraq&m=110972236203397&w=2
- http://secunia.com/advisories/14383
- http://security.gentoo.org/glsa/glsa-200502-29.xml
- http://securitytracker.com/id?1013278
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:051
- http://www.redhat.com/support/errata/RHSA-2005-408.html
- http://www.securityfocus.com/archive/1/430294/100/0/threaded
- http://www.securityfocus.com/bid/12636
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10674