AUSCERT External Security Bulletin Redistribution

                     ESB-97.042 -- Vulnerability in IMAP and POP
                              8 April 1997


CERT/CC has released the following advisory concerning a vulnerability
in IMAP and POP.  Remote users can obtain root access on systems
running a vulnerable IMAP or POP server. They do not need access
to an account on the system to do this.

This following security bulletin is provided as a service to AUSCERT's
members.  As AUSCERT did not write this document, AUSCERT has had no
control over its content.  As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.

Contact information for CERT/CC is included in the Security Bulletin
below.  If you have any questions or need further information, please
contact them directly.

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 4477
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
	AUSCERT personnel answer during Queensland business hours
	which are GMT+10:00 (AEST).
	On call after hours for emergencies.

- --------------------------BEGIN INCLUDED TEXT--------------------


CERT* Advisory CA-97.09
Original issue date: April 7, 1997
Last revised: --
Topic: Vulnerability in IMAP and POP
- - -----------------------------------------------------------------------------

The CERT Coordination Center has received reports of a vulnerability
in some versions of the Internet Message Access Protocol (IMAP) and
Post Office Protocol (POP) implementations (imapd, ipop2d, and
ipop3d). Information about this vulnerability has been publicly

By exploiting this vulnerability, remote users can obtain unauthorized root

The CERT/CC team recommends installing a patch if one is available or
upgrading to IMAP4rev1. Until you can do so, we recommend disabling the IMAP
and POP services at your site.

We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to
your site.

- - -----------------------------------------------------------------------------
I.   Description

     The current version of Internet Message Access Protocol (IMAP) supports
     both online and offline operation, permitting manipulation of remote
     message folders. It provides access to multiple mailboxes (possibly on
     multiple servers), and supports nested mailboxes as well as
     resynchronization with the server. The current version also provides a
     user with the ability to create, delete, and rename mailboxes. Additional
     details concerning the functionality of IMAP can be found in RFC 2060
     (the IMAP4rev1 specification) available from


     The Post Office Protocol (POP) was designed to support offline mail
     processing. That is, the client connects to the server to download mail
     that the server is holding for the client. The mail is deleted from the
     server and is handled offline (locally) on the client machine.

     In both protocols, the server must run with root privileges so it can
     access mail folders and undertake some file manipulation on behalf of the
     user logging in. After login, these privileges are discarded. However, a
     vulnerability exists in the way the login transaction is handled, and
     this can be exploited to gain privileged access on the server. By
     preparing carefully crafted text to a system running a vulnerable version
     of these servers, remote users may be able to cause a buffer overflow and
     execute arbitrary instructions with root privileges.

     Information about this vulnerability has been widely distributed.

II.  Impact

     Remote users can obtain root access on systems running a vulnerable IMAP
     or POP server. They do not need access to an account on the system to do

III. Solution

     Install a patch from your vendor (see Section A) or upgrade to the latest
     version of IMAP (Section B).  If your POP server is based on the
     University of Washington IMAP server code, you should also upgrade to
     the latest version of IMAP. Until you can take one of these actions, you
     should disable services (Section C). In all cases, we urge you to take
     the additional precaution described in Section D.

  A. Obtain and install a patch from your vendor

     Below is a list of vendors who have provided information about this
     vulnerability. Details are in Appendix A of this advisory; we will update
     the appendix as we receive more information. If your vendor's name is not
     on this list, please contact your vendor directly.

        Berkeley Software Design, Inc. (BSDI)
        Cray Research
        Linux -  Red Hat
        Sun Microsystems, Inc.
        University of Washington

  B. Upgrade to the latest version of IMAP

     An alternative to installing vendor patches is upgrading to IMAP4rev1,
     which is available from


        MD5 (imap.tar.Z) = fb94453e8d2ada303e2db8d83d54bfb6

  C.  Disable services

      Until you can take one of the above actions, temporarily disable the POP
      and IMAP services. On many systems, you will need to edit the
      /etc/inetd.conf file. However, you should check your vendor's
      documentation because systems vary in file location and the exact
      changes required (for example, sending the inetd process a HUP signal or
      killing and restarting the daemon).  

      If you are not able to temporarily disable the POP and IMAP services,
      then you should at least limit access to the vulnerable services to
      machines in your local network. This can be done by installing the
      tcp_wrappers described in Section D, not only for logging but also for
      access control. Note that even with access control via tcp_wrappers, you
      are still vulnerable to attacks from hosts that are allowed to connect
      to the vulnerable POP or IMAP service.

 D.  Additional precaution

     Because IMAP or POP is launched out of inetd.conf, tcp_wrappers can be
     installed to log connections which can then be examined for suspicious
     activity. You may want to consider filtering connections at the firewall
     to discard unwanted/unauthorized connections.

     The tcp_wrappers tool is available in


        MD5 (tcp_wrappers_7.5.tar.gz) = 8c7a17a12d9be746e0488f7f6bfa4abb

     Note that this precaution does not address the vulnerability described
     in this advisory, but it is a good security practice in general.


Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear from that
vendor. Please contact the vendor directly.

Berkeley Software Design, Inc. (BSDI)

  We're working on patches for both BSD/OS 2.1 and BSD/OS 3.0 for
  imap (which we include as part of pine).

Cray Research

  Not vulnerable.

Linux Systems

  Red Hat
  The IMAP servers included with all versions of Red Hat Linux have
  a buffer overrun which allow *remote* users to gain root access on
  systems which run them. A fix for Red Hat 4.1 is now available
  (details on it at the end of this note).

  Users of Red Hat 4.0 should apply the Red Hat 4.1 fix. Users of previous
  releases of Red Hat Linux are strongly encouraged to upgrade or simply
  not run imap. You can remove imap from any machine running with Red
  Hat Linux 2.0 or later by running the command "rpm -e imap", rendering
  them immune to this problem.

  All of the new packages are PGP signed with Red Hat's PGP key,
  and may be obtained from ftp.redhat.com:/updates/4.1. If
  you have direct Internet access, you may upgrade these packages on your
  system with the following commands:

  rpm -Uvh ftp://ftp.redhat.com/updates/4.1/i386/imap-4.1.BETA-3.i386.rpm

        MD5 (imap-4.1.BETA-3.i386.rpm) = 8ac64fff475ee43d409fc9776a6637a6

  rpm -Uvh ftp://ftp.redhat.com/updates/4.1/alpha/imap-4.1.BETA-3.alpha.rpm

        MD5 (imap-4.1.BETA-3.alpha.rpm) = fd42ac24d7c4367ee51fd00e631cae5b

  rpm -Uvh ftp://ftp.redhat.com/updates/4.1/sparc/imap-4.1.BETA-3.sparc.rpm

        MD5 (imap-4.1.BETA-3.sparc.rpm) = 751598aae3d179284b8ea4d7a9b78868

Sun Microsystems, Inc.

  We are investigating the problem.

University of Washington 

  This vulnerability has been detected in the University of Washington c-client
  library used in the UW IMAP and POP servers.  This vulnerability affects all
  versions of imapd prior to v10.165, all versions of ipop2d prior to 2.3(32),
  and all versions of ipop3d prior to 3.3(27).

  It is recommended that all sites using these servers upgrade to the
  latest versions, available in the UW IMAP toolkit:


        MD5 (imap.tar.Z) = fb94453e8d2ada303e2db8d83d54bfb6

  This is a source distribution which includes imapd, ipop2d, ipop3d. and
  the c-client library.  The IMAP server in this distribution conforms with
  RFC2060 (the IMAP4rev1 specification).

  Sites which are not yet prepared to upgrade from IMAP2bis to IMAP4
  service may obtain a corrected IMAP2bis server as part of the latest
  (3.96) UW Pine distribution, available at:


        MD5 (pine.tar.Z) = 37138f0d1ec3175cf1ffe6c062c9abbf

- - -----------------------------------------------------------------------------
The CERT Coordination Center thanks the University of Washington's
Computing and Communications staff for information relating to this
- - -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see http://www.first.org/team-info)

CERT/CC Contact Information
- - ---------------------------
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We can
   support a shared DES key or PGP. Contact the CERT/CC for more information.
   Location of CERT PGP key

Getting security information
   CERT publications and other security information are available from

   CERT advisories and bulletins are also posted on the USENET newsgroup

   To be added to our mailing list for advisories and bulletins, send
   email to
   In the subject line, type
        SUBSCRIBE  your-email-address

- - ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is

* Registered in the U.S. Patent and Trademark Office.

- - ---------------------------------------------------------------------------

This file: ftp://info.cert.org/pub/cert_advisories/CA-97.09.imap_pop
               click on "CERT Advisories"

Revision history

Version: 2.6.2


- --------------------------END INCLUDED TEXT--------------------

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key