From owner-freebsd-security-notifications Mon Apr 24 15:46:48 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id EEF4B37BBB4; Mon, 24 Apr 2000 15:46:35 -0700 (PDT) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:15.imap-uw From: FreeBSD Security Officer Message-Id: <20000424224635.EEF4B37BBB4@hub.freebsd.org> Date: Mon, 24 Apr 2000 15:46:35 -0700 (PDT) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:15 Security Advisory FreeBSD, Inc. Topic: imap-uw allows local users to deny service to any mailbox Category: ports Module: imap-uw Announced: 2000-04-24 Credits: Alex Mottram via BugTraq Affects: Ports collection. Corrected: See below. Vendor status: Notified. FreeBSD only: NO I. Background imap-uw is a popular IMAP4/POP2/POP3 mail server from the University of Washington. II. Problem Description The imap-uw port supplies a "libc-client" library which provides various functionality common to mail servers. The algorithm used for locking of mailbox files contains a weakness which allows an unprivileged local user to lock an arbitrary local mailbox. In the case of POP2/POP3 servers, this means that the mailbox will not be able to be accessed at all by the owner. In the case of IMAP4 servers, the folder can be opened for reading, but not writing (i.e. can only be accessed read-only). Note that this is a different vulnerability than that described in FreeBSD Security Advisory 00:14, and affects all imap-uw servers which provide shell-level access to users. However note that by virtue of advisory 00:14, all users who can access their mail remotely via imap can acquire such access even without explicit shell login access. The imap-uw port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3200 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A user who has, or who can obtain (see advisory 00:14) shell access to the mail server can prevent an arbitrary mailbox from being opened via pop2/pop3, or can force the mailbox to be only opened read-only via imap. If you have not chosen to install the imap-uw port/package, then your system is not vulnerable to this problem. IV. Workaround 1) Deinstall the imap-uw port/package, if you you have installed it. 2) Consider using another POP2/POP3 server if you do not require IMAP functionality. See the notes regarding alternative IMAP servers in FreeBSD Security Advisory 00:14. V. Solution No patch is currently available. It is encumbent on the imap-uw developers to redesign the mailbox locking scheme to provide a secure locking mechanism which is not vulnerable to local denial-of-service attacks. This advisory will be updated once the known vulnerabilities in imap-uw have been addressed. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOQTN8FUuHi5z0oilAQH58gP+JtkvDh4EFR13jGKxb6PERkt9x6Cpy+DY 1P56XODBiK4tnbTjdke2JLLNUHpSYtN23h8zt1DtnlxnxunQa8Y6fhptbpgHUWAu ZIJlLLnl0iQcjj3Lqwz2E2BaFsyZxlVSGQnD/EmI+tyZcY+oTYbomCgi1RW3kbn+ fmNJXmwTXCg= =TwTN -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message