Vigil@nce: Cyrus IMAPd, privilege elevation via SIEVE
September 2009 by Vigil@nce
An authenticated attacker can use a malicious SIEVE script, in
order to execute code with privileges of the Cyrus IMAPd server.
Severity: 2/4
Consequences: privileged access/rights
Provenance: user account
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 07/09/2009
IMPACTED PRODUCTS
– Debian Linux
– Fedora
– Mandriva Corporate
– Mandriva Enterprise Server
– Mandriva Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Cyrus IMAPd service can be compiled with the support of SIEVE
scripts, which are used to automatically filter received emails.
In order to do so, each user can create a SIEVE script under
" /.sieve", which is to be read for each received email.
The do_action_list() function of the src/sieve/script.c file
handles actions (Rejected, Redirected, Vacation, etc.). However,
if the action is incorrect, the limit size for snprintf() becomes
negative, which does not protect against buffer overflows.
An authenticated attacker can therefore use a malicious SIEVE
script, in order to execute code with privileges of the Cyrus
IMAPd server.
CHARACTERISTICS
Identifiers: BID-36296, CVE-2009-2632, DSA 1881-1, ERR-2009-2628,
FEDORA-2009-9417, FEDORA-2009-9428, MDVSA-2009:229,
VIGILANCE-VUL-9005, VU#336053
http://vigilance.fr/vulnerability/Cyrus-IMAPd-privilege-elevation-via-SIEVE-9005