Freely subscribe to our NEWSLETTER

Severity: 2/4

Consequences: privileged access/rights

Provenance: user account

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: medium (2/3)

Creation date: 07/09/2009

IMPACTED PRODUCTS

– Debian Linux
– Fedora
– Mandriva Corporate
– Mandriva Enterprise Server
– Mandriva Linux
– Unix - plateform

DESCRIPTION OF THE VULNERABILITY

The Cyrus IMAPd service can be compiled with the support of SIEVE
scripts, which are used to automatically filter received emails.
In order to do so, each user can create a SIEVE script under
" /.sieve", which is to be read for each received email.

The do_action_list() function of the src/sieve/script.c file
handles actions (Rejected, Redirected, Vacation, etc.). However,
if the action is incorrect, the limit size for snprintf() becomes
negative, which does not protect against buffer overflows.

An authenticated attacker can therefore use a malicious SIEVE
script, in order to execute code with privileges of the Cyrus
IMAPd server.

CHARACTERISTICS

Identifiers: BID-36296, CVE-2009-2632, DSA 1881-1, ERR-2009-2628,
FEDORA-2009-9417, FEDORA-2009-9428, MDVSA-2009:229,
VIGILANCE-VUL-9005, VU#336053

http://vigilance.fr/vulnerability/Cyrus-IMAPd-privilege-elevation-via-SIEVE-9005