Cyrus IMAPD POP3D 远程栈溢出漏洞

Cyrus IMAP Server是一款免费开放源代码Interactive Mail Access Protocol (IMAP)协议实现，可使用在Unix和Linux操作系统下。

Cyrus-imapd的pop3d中存在远程溢出漏洞。如果在imapd.conf中Cyrus-imapd将popsubfolders设置为1的话，则攻击者就可以通过向远程pop3d发送超长的USER命令参数触发栈溢出。

在cyrus-imapd-2.3.2/imap/pop3d.c中，每次向pop3 server提供USER命令时都会调用pop3d_canon_user，ulen=0。在char userbuf[MAX_MAILBOX_NAME+1], *p;

...

if (!ulen) ulen = strlen(user);

...

memcpy(userbuf, user, ulen);

userbuf[ulen] = \'\'＼0\'\';

这个例程中没有执行长度检查，如果user大于MAX_MAILBOX_NAME+1的话，memcpy就会溢出userbuf缓冲区。

--- snip ---static int popd_canon_user(sasl_conn_t *conn, void *context,

const char *user, unsigned ulen,

unsigned flags, const char *user_realm,

char *out, unsigned out_max, unsigned *out_ulen)

{

char userbuf[MAX_MAILBOX_NAME+1], *p;

size_t n;

int r;

if (!ulen) ulen = strlen(user);

if (config_getswitch(IMAPOPT_POPSUBFOLDERS)) {

/* make a working copy of the auth[z]id */

memcpy(userbuf, user, ulen);

userbuf[ulen] = \'\'＼0\'\';

user = userbuf;

/* See if we\'\'re trying to access a subfolder */

if ((p = strchr(userbuf, \'\'+\'\'))) {

n = config_virtdomains ? strcspn(p, \"@\") ： strlen(p);

if (flags ＆ SASL_CU_AUTHZID) {

/* make a copy of the subfolder */

if (popd_subfolder) free(popd_subfolder);

popd_subfolder = xstrndup(p, n);

}

/* strip the subfolder from the auth[z]id */

memmove(p, p+n, strlen(p+n)+1);

ulen -= n;

}

}

r = mysasl_canon_user(conn, context, user, ulen, flags, user_realm,

out, out_max, out_ulen);

if (!r ＆ ＆ popd_subfolder ＆ ＆ flags == SASL_CU_AUTHZID) {

/* If we\'\'re only doing the authzid, put back the subfolder

in case its used in the challenge/response calculation */

n = strlen(popd_subfolder);

if (*out_ulen + n ＞ out_max) {

sasl_seterror(conn, 0, \"buffer overflow while canonicalizing\");

r = SASL_BUFOVER;

}

else {

p = (config_virtdomains ＆ ＆ (p = strchr(out, \'\'@\'\'))) ?

p ： out + *out_ulen;

memmove(p+n, p, strlen(p)+1);

memcpy(p, popd_subfolder, n);

*out_ulen += n;

}

}

return r;

}

--- snip ---