Vigil@nce: Dovecot Sieve, two overflows
September 2009 by Vigil@nce
An authenticated attacker can use a malicious SIEVE script, in
order to execute code with privileges of the Dovecot server.
– Severity: 2/4
– Consequences: user access/rights
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Number of vulnerabilities in this bulletin: 2
– Creation date: 15/09/2009
IMPACTED PRODUCTS
– Fedora
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Dovecot Sieve plugin can be installed on the IMAP Dovecot
server to handle SIEVE scripts, which are used to automatically
filter received emails. In order to do so, each user can create a
SIEVE script under " /.sieve", which is to be read for each
received email. This plugin is impacted by two overflows.
The maximal size of snprintf() can be negative, which does not
protect against buffer overflows. This vulnerability has the same
origin than VIGILANCE-VUL-9005 (https://vigilance.fr/tree/1/9005).
[grav:2/4; CVE-2009-2632]
The sprintf() function is used instead of snprintf(), and the size
of data is not checked, which generates an overflow. This
vulnerability has the same origin than VIGILANCE-VUL-9029
(https://vigilance.fr/tree/1/9029). [grav:2/4; CVE-2009-3235]
An authenticated attacker can therefore use a malicious SIEVE
script, in order to execute code with privileges of the Dovecot
server.
CHARACTERISTICS
– Identifiers: BID-36377, CVE-2009-2632, CVE-2009-3235,
FEDORA-2009-9559, VIGILANCE-VUL-9024
– Url: http://vigilance.fr/vulnerability/Dovecot-Sieve-two-overflows-9024