Vulnerabilities > CVE-2005-2933 - Buffer Overflow vulnerability in University Of Washington IMAP Mailbox Name
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in the mail_valid_net_parse_work function in mail.c for Washington's IMAP Server (UW-IMAP) before imap-2004g allows remote attackers to execute arbitrary code via a mailbox name containing a single double-quote (") character without a closing quote, which causes bytes after the double-quote to be copied into a buffer indefinitely.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 7 |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200510-10.NASL description The remote host is affected by the vulnerability described in GLSA-200510-10 (uw-imap: Remote buffer overflow) Improper bounds checking of user-supplied data while parsing IMAP mailbox names can lead to overflowing the stack buffer. Impact : Successful exploitation requires an authenticated IMAP user to request a malformed mailbox name. This can lead to execution of arbitrary code with the permissions of the IMAP server. Workaround : There are no known workarounds at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 20030 published 2005-10-19 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20030 title GLSA-200510-10 : uw-imap: Remote buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200510-10. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(20030); script_version("1.22"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-2933"); script_bugtraq_id(15009); script_xref(name:"GLSA", value:"200510-10"); script_name(english:"GLSA-200510-10 : uw-imap: Remote buffer overflow"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200510-10 (uw-imap: Remote buffer overflow) Improper bounds checking of user-supplied data while parsing IMAP mailbox names can lead to overflowing the stack buffer. Impact : Successful exploitation requires an authenticated IMAP user to request a malformed mailbox name. This can lead to execution of arbitrary code with the permissions of the IMAP server. Workaround : There are no known workarounds at this time." ); # http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities&flashstatus=false script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4bf53403" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200510-10" ); script_set_attribute( attribute:"solution", value: "All uw-imap users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-mail/uw-imap-2004g'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:uw-imap"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/19"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-mail/uw-imap", unaffected:make_list("ge 2004g"), vulnerable:make_list("lt 2004g"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "uw-imap"); }NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2005-310-06.NASL description New imapd packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix (an alleged) security issue. See the details below for more information. Also, new Pine packages are provided since these are built together... why not? Might as well upgrade that too, while I last seen 2020-06-01 modified 2020-06-02 plugin id 54865 published 2011-05-28 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54865 title Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : imapd (SSA:2005-310-06) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-194.NASL description 'infamous41md last seen 2020-06-01 modified 2020-06-02 plugin id 20122 published 2005-11-02 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20122 title Mandrake Linux Security Advisory : php-imap (MDKSA-2005:194) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-848.NASL description Updated libc-client packages that fix a buffer overflow issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. C-client is a common API for accessing mailboxes. A buffer overflow flaw was discovered in the way C-client parses user-supplied mailboxes. If an authenticated user requests a specially crafted mailbox name, it may be possible to execute arbitrary code on a server that uses C-client to access mailboxes. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2933 to this issue. All users of libc-client should upgrade to these updated packages, which contain a backported patch that resolves this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 20269 published 2005-12-07 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20269 title RHEL 4 : libc-client (RHSA-2005:848) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0276.NASL description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996) The html_entity_decode() PHP function was found to not be binary safe. An attacker could use this flaw to disclose a certain part of the memory. In order for this issue to be exploitable the target site would need to have a PHP script which called the last seen 2020-06-01 modified 2020-06-02 plugin id 21897 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21897 title CentOS 3 / 4 : php (CESA-2006:0276) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-861.NASL description 'infamous41md last seen 2020-06-01 modified 2020-06-02 plugin id 19969 published 2005-10-11 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19969 title Debian DSA-861-1 : uw-imap - buffer overflow NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0276.NASL description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996) The html_entity_decode() PHP function was found to not be binary safe. An attacker could use this flaw to disclose a certain part of the memory. In order for this issue to be exploitable the target site would need to have a PHP script which called the last seen 2020-06-01 modified 2020-06-02 plugin id 21287 published 2006-04-26 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21287 title RHEL 3 / 4 : php (RHSA-2006:0276) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-189.NASL description 'infamous41md last seen 2020-06-01 modified 2020-06-02 plugin id 20119 published 2005-11-02 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20119 title Mandrake Linux Security Advisory : imap (MDKSA-2005:189) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_1F6E2ADE35C211DA811D0050BF27BA24.NASL description FrSIRT reports : A vulnerability has been identified in UW-IMAP, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a stack overflow error in the last seen 2020-06-01 modified 2020-06-02 plugin id 21396 published 2006-05-13 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21396 title FreeBSD : imap-uw -- mailbox name handling remote buffer vulnerability (1f6e2ade-35c2-11da-811d-0050bf27ba24) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0501.NASL description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996) The error handling output was found to not properly escape HTML output in certain cases. An attacker could use this flaw to perform cross-site scripting attacks against sites where both display_errors and html_errors are enabled. (CVE-2006-0208) A buffer overflow flaw was discovered in uw-imap, the University of Washington last seen 2020-06-01 modified 2020-06-02 plugin id 21594 published 2006-05-24 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21594 title RHEL 2.1 : php (RHSA-2006:0501) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-850.NASL description An updated imap package that fixes a buffer overflow issue is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. A buffer overflow flaw was discovered in the way the c-client library parses user-supplied mailboxes. If an authenticated user requests a specially crafted mailbox name, it may be possible to execute arbitrary code on a server that uses the library. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2933 to this issue. All users of imap should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 20270 published 2005-12-07 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20270 title RHEL 2.1 / 3 : imap (RHSA-2005:850) NASL family Gain a shell remotely NASL id UW_IMAP_MAILBOX_OVERFLOW.NASL description The remote host appears to be running a version of the University of Washington last seen 2020-06-01 modified 2020-06-02 plugin id 19938 published 2005-10-06 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19938 title UW-IMAP Mailbox Name Buffer Overflow NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-850.NASL description An updated imap package that fixes a buffer overflow issue is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. A buffer overflow flaw was discovered in the way the c-client library parses user-supplied mailboxes. If an authenticated user requests a specially crafted mailbox name, it may be possible to execute arbitrary code on a server that uses the library. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2933 to this issue. All users of imap should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 21875 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21875 title CentOS 3 : imap (CESA-2005:850) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-848.NASL description Updated libc-client packages that fix a buffer overflow issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. C-client is a common API for accessing mailboxes. A buffer overflow flaw was discovered in the way C-client parses user-supplied mailboxes. If an authenticated user requests a specially crafted mailbox name, it may be possible to execute arbitrary code on a server that uses C-client to access mailboxes. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2933 to this issue. All users of libc-client should upgrade to these updated packages, which contain a backported patch that resolves this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 21969 published 2006-07-05 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21969 title CentOS 4 : libc-client (CESA-2005:848)
Oval
| accepted | 2013-04-29T04:22:48.928-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | Buffer overflow in the mail_valid_net_parse_work function in mail.c for Washington's IMAP Server (UW-IMAP) before imap-2004g allows remote attackers to execute arbitrary code via a mailbox name containing a single double-quote (") character without a closing quote, which causes bytes after the double-quote to be copied into a buffer indefinitely. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:9858 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | Buffer overflow in the mail_valid_net_parse_work function in mail.c for Washington's IMAP Server (UW-IMAP) before imap-2004g allows remote attackers to execute arbitrary code via a mailbox name containing a single double-quote (") character without a closing quote, which causes bytes after the double-quote to be copied into a buffer indefinitely. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||||||||||||||
| rpms |
|
References
- ftp://patches.sgi.com/support/free/security/advisories/20051201-01-U
- ftp://patches.sgi.com/support/free/security/advisories/20060501-01-U.asc
- http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0081.html
- http://rhn.redhat.com/errata/RHSA-2006-0276.html
- http://rhn.redhat.com/errata/RHSA-2006-0549.html
- http://secunia.com/advisories/17062/
- http://secunia.com/advisories/17148
- http://secunia.com/advisories/17152
- http://secunia.com/advisories/17215
- http://secunia.com/advisories/17276
- http://secunia.com/advisories/17336
- http://secunia.com/advisories/17483
- http://secunia.com/advisories/17928
- http://secunia.com/advisories/17930
- http://secunia.com/advisories/17950
- http://secunia.com/advisories/18554
- http://secunia.com/advisories/19832
- http://secunia.com/advisories/20210
- http://secunia.com/advisories/20222
- http://secunia.com/advisories/20951
- http://secunia.com/advisories/21252
- http://secunia.com/advisories/21564
- http://securityreason.com/securityalert/47
- http://securitytracker.com/id?1015000
- http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.500161
- http://support.avaya.com/elmodocs2/security/ASA-2006-129.htm
- http://support.avaya.com/elmodocs2/security/ASA-2006-160.htm
- http://www.debian.org/security/2005/dsa-861
- http://www.gentoo.org/security/en/glsa/glsa-200510-10.xml
- http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities&flashstatus=true
- http://www.kb.cert.org/vuls/id/933601
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:189
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:194
- http://www.novell.com/linux/security/advisories/2005_23_sr.html
- http://www.redhat.com/support/errata/RHSA-2005-848.html
- http://www.redhat.com/support/errata/RHSA-2005-850.html
- http://www.redhat.com/support/errata/RHSA-2006-0501.html
- http://www.securityfocus.com/archive/1/430296/100/0/threaded
- http://www.securityfocus.com/archive/1/430303/100/0/threaded
- http://www.securityfocus.com/bid/15009
- http://www.vupen.com/english/advisories/2006/2685
- http://www.washington.edu/imap/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/22518
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9858