Vigil@nce: Cyrus IMAPd, privilege elevation via SIEVE
September 2009 by Vigil@nce
An authenticated attacker can use a malicious SIEVE script, in
order to execute code with privileges of the Cyrus IMAPd server.
Severity: 2/4
Consequences: privileged access/rights
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 17/09/2009
IMPACTED PRODUCTS
– Debian Linux
– Fedora
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Cyrus IMAPd service can be compiled with the support of SIEVE
scripts, which are used to automatically filter received emails.
In order to do so, each user can create a SIEVE script under
" /.sieve", which is to be read for each received email.
The bc_eval.c, script.c.diff and sieve.y files use the sprintf()
function instead of snprintf(), and the size of data is not
checked, which generates an overflow.
An authenticated attacker can therefore use a malicious SIEVE
script, in order to execute code with privileges of the Cyrus
IMAPd server.
CHARACTERISTICS
Identifiers: CVE-2009-3235, DSA 1881-1, DSA 1893-1,
FEDORA-2009-9869, FEDORA-2009-9901, RHSA-2009:1459-04,
VIGILANCE-VUL-9029
Pointed by: VIGILANCE-VUL-9024
http://vigilance.fr/vulnerability/Cyrus-IMAPd-privilege-elevation-via-SIEVE-9029