[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] [Fwd: imapd vulnerability assessment pursiant to CERT IMAP report.]

Subject: [cobalt-security] [Fwd: imapd vulnerability assessment pursiant to CERT IMAP report.]
From: Charles Smith <charles.smith@xxxxxxx>
Date: Wed, 18 Dec 2002 12:25:25 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Brent,

The results of our investigation appear below along with the associated nessus logs. As indicated, our findings indicate these issues are false postives. This has been an ongoing issue for some time where raw results from such tools as Nessus have been reported as factual when with appropriate root cause analysis, they were determined to be false positives.

Cheers,

Charles

-------- Original Message --------

Subject:	imapd vulnerability assessment pursiant to CERT IMAP report.
Date:	Wed, 18 Dec 2002 11:40:54 -0500
From:	Mark Carey <mark.carey@xxxxxxx>
To:	Charles Smith <Charles.Smith@xxxxxxx>, mark.carey@xxxxxxx

Spike,
  investigation has revealed that when using nessus to scan for the 
reported imap vulnerability, a false positive is reported.  Nesses 
generates this report based on the "capabilities" command of the imap 
server.  Since Sun Cobalt has patched the imap server prior to this 
investigation (approximately June 2002), the vulnerability reported by 
nessus is false.

Chronologically the investigation went as follows:

1. Install the latest nessus from www.nessus.org.
2. Configure nessus to perform all imap scans (and dependent services).
3. Use ethereal to sniff all traffic on port 143 (imap).

Upon the completion of the scan, nessus reported a vulnerability in the 
imap service (report attached).  Examination of the packet trace using 
both stream reconstruction and visual inspection reveals that two cases 
(tests) are run against the imap service.  

In the first test case a connection is made to the imap server and it is 
then is queried for its "capabilities", then nessus blindly attempts to 
exploit the imap server.  The imap server responds with a bad command 
response.  It should also be noted that no overflow is logged by the 
stackgaurded imapd binary on the target host.

In the second case, a connection is made to the imap server and it is 
then queried for its "capabilities".  Nessus does not attempt to exploit 
the imaps server in this case and simply reports that the imap server is 
vulnerable.  No overflow is logged.

Finally, it should be noted that in the nessus generated report, that 
both reported vulnerabilities are caveated by the face that nesses looks 
at the banners only in determining that these vulnerabilities exist. 
 Since Sun Cobalt patches do not increment the banner revision levels, 
nessus reports these as false positives.

    Thanks,
    Mark.

-- 
Charles Smith, CISSP, CCSE
Sun Linux Security Engineering Group
Sun Microsystems
Tel: 614-273-3255 (x57055)
Fax: 614-273-3291

This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy.

timestamps|||scan_start|Wed Dec 18 11:23:03 2002 <|> SERVER|
timestamps||sustaining5.central.sun.com|host_start|Wed Dec 18 11:23:04 2002|
results|sustaining5.central.sun|sustaining5.central.sun.com|ftp (21/tcp)
results|sustaining5.central.sun|sustaining5.central.sun.com|telnet (23/tcp)
results|sustaining5.central.sun|sustaining5.central.sun.com|smtp (25/tcp)
results|sustaining5.central.sun|sustaining5.central.sun.com|http (80/tcp)
results|sustaining5.central.sun|sustaining5.central.sun.com|unknown (81/tcp)
results|sustaining5.central.sun|sustaining5.central.sun.com|pop3 (110/tcp)
results|sustaining5.central.sun|sustaining5.central.sun.com|imap (143/tcp)
results|sustaining5.central.sun|sustaining5.central.sun.com|https (443/tcp)
results|sustaining5.central.sun|sustaining5.central.sun.com|snpp (444/tcp)
results|sustaining5.central.sun|sustaining5.central.sun.com|general/tcp|10336|Security Note|Nmap found that this host is running Linux 2.1.19 - 2.2.19\n
results|sustaining5.central.sun|sustaining5.central.sun.com|ftp (21/tcp)|10330|Security Note|An FTP server is running on this port.\nHere is its banner : \n220 ProFTPD 1.2.5 Server (ProFTPD) [sustaining5.central.sun.com]\r
results|sustaining5.central.sun|sustaining5.central.sun.com|telnet (23/tcp)|10330|Security Note|A telnet server seems to be running on this port
results|sustaining5.central.sun|sustaining5.central.sun.com|smtp (25/tcp)|10330|Security Note|An SMTP server is running on this port\nHere is its banner : \n220 sustaining5.central.sun.com ESMTP Sendmail 8.10.2/8.10.2; Wed, 18 Dec 2002 11:24:56 -0500\r
results|sustaining5.central.sun|sustaining5.central.sun.com|http (80/tcp)|10330|Security Note|A web server is running on this port
results|sustaining5.central.sun|sustaining5.central.sun.com|unknown (81/tcp)|10330|Security Note|A TLSv1 server answered on this port\n
results|sustaining5.central.sun|sustaining5.central.sun.com|unknown (81/tcp)|10330|Security Note|A web server is running on this port through SSL
results|sustaining5.central.sun|sustaining5.central.sun.com|pop3 (110/tcp)|10330|Security Note|A pop3 server is running on this port
results|sustaining5.central.sun|sustaining5.central.sun.com|imap (143/tcp)|10330|Security Note|An IMAP server is running on this port
results|sustaining5.central.sun|sustaining5.central.sun.com|https (443/tcp)|10330|Security Note|A TLSv1 server answered on this port\n
results|sustaining5.central.sun|sustaining5.central.sun.com|https (443/tcp)|10330|Security Note|A web server is running on this port through SSL
results|sustaining5.central.sun|sustaining5.central.sun.com|snpp (444/tcp)|10330|Security Note|A web server is running on this port
results|sustaining5.central.sun|sustaining5.central.sun.com|imap (143/tcp)|10966|Security Hole|\nThere is a buffer overflow in the remote imap server \nwhich allows an authenticated user to obtain a remote\nshell.\n\nBy supplying an overly long tag the the BODY command,\nan attacker may gain a shell on this host.\n\n*** Nessus reports this vulnerability using only\n*** information that was gathered. Use caution\n*** when testing without safe checks enabled.\n\nSolution : Upgrade to imap-2001a\nRisk factor : Serious\nCVE : CAN-2002-0379\n
results|sustaining5.central.sun|sustaining5.central.sun.com|imap (143/tcp)|10625|Security Hole|\nThe remote UW-IMAP server seems to be vulnerable to various\nbuffer overflow which allow an authenticated user to gain\na shell on this host.\n\nAn attacker may use this flaw to escalate his privileges.\n\n*** Nessus solely relied on the server banner to \n*** issue this warning.\n\nSolution : Upgrade to the latest version of UW-IMAP\nRisk factor : High\nCVE : CAN-1999-1224\n
timestamps||sustaining5.central.sun.com|host_end|Wed Dec 18 11:27:13 2002|
timestamps|||scan_end|Wed Dec 18 11:27:13 2002 <|> SERVER|

Attachment: nessus_imapd_trace
Description: application/java-vm

Follow-Ups:
- [cobalt-security] RPMs of openssl-0.9.6h and imap-2002a available at average.org
  - From: Eugene Crosser

Prev by Date: Re: [cobalt-security] RAZOR advisory: Linux 2.2.xx /proc/<pid>/mem mmap() vulnerability
Next by Date: [cobalt-security] RPMs of openssl-0.9.6h and imap-2002a available at average.org
Previous by thread: Re: [cobalt-security] weird ports found on scan
Next by thread: [cobalt-security] RPMs of openssl-0.9.6h and imap-2002a available at average.org

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index