UW-IMAP Netmailbox Name Parsing Buffer Overflow Vulnerability iDEFENSE Security Advisory 10.04.05 www.idefense.com/application/poi/display?id=313&type=vulnerabilities October 4, 2005 I. BACKGROUND UW-IMAP is a popular free IMAP service for Linux and UNIX systems and is distributed with various Linux distributions. More information can be found at the vendor website: http://www.washington.edu/imap/ II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in the University of Washington's IMAP Server (UW-IMAP) allows attackers to execute arbitrary code. The vulnerability specifically exists due to insufficient bounds checking on user-supplied values. The mail_valid_net_parse_work() function in src/c-client/mail.c is responsible for obtaining and validating the specified mailbox name from user-supplied data. An error in the parsing of supplied mailbox names will continue to copy memory after a " character has been parsed until another " character is found as shown here: long mail_valid_net_parse_work (char *name,NETMBX *mb,char *service) { int i,j; #define MAILTMPLEN 1024 /* size of a temporary buffer */ char c,*s,*t,*v,tmp[MAILTMPLEN],arg[MAILTMPLEN]; ...snip... if (t - v) { /* any switches or port specification? */ 1] strncpy (t = tmp,v,j); /* copy it */ tmp[j] = '