FreeBSD : Cyrus IMAPd -- PARTIAL command out of bounds memory corruption (114d70f3-3d16-11d9-8818-008088034841)

critical Nessus Plugin ID 18845

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Due to a bug within the argument parser of the partial command an argument like 'body[p' will be wrongly detected as 'body.peek'.
Because of this the bufferposition gets increased by 10 instead of 5 and could therefore point outside the allocated memory buffer for the rest of the parsing process. In imapd versions prior to 2.2.7 the handling of 'body' or 'bodypeek' arguments was broken so that the terminating ']' got overwritten by a '\0'. Combined the two problems allow a potential attacker to overwrite a single byte of malloc() control structures, which leads to remote code execution if the attacker successfully controls the heap layout.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?25075052

http://www.nessus.org/u?a4b6a9ea

Plugin Details

Severity: Critical

ID: 18845

File Name: freebsd_pkg_114d70f33d1611d98818008088034841.nasl

Version: 1.16

Type: local

Published: 7/13/2005

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:cyrus-imapd, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 11/22/2004

Vulnerability Publication Date: 11/6/2004

Reference Information

CVE: CVE-2004-1012