Subject: | imapd vulnerability assessment pursiant to CERT IMAP report. |
---|---|
Date: | Wed, 18 Dec 2002 11:40:54 -0500 |
From: | Mark Carey <mark.carey@xxxxxxx> |
To: | Charles Smith <Charles.Smith@xxxxxxx>, mark.carey@xxxxxxx |
Spike, investigation has revealed that when using nessus to scan for the reported imap vulnerability, a false positive is reported. Nesses generates this report based on the "capabilities" command of the imap server. Since Sun Cobalt has patched the imap server prior to this investigation (approximately June 2002), the vulnerability reported by nessus is false. Chronologically the investigation went as follows: 1. Install the latest nessus from www.nessus.org. 2. Configure nessus to perform all imap scans (and dependent services). 3. Use ethereal to sniff all traffic on port 143 (imap). Upon the completion of the scan, nessus reported a vulnerability in the imap service (report attached). Examination of the packet trace using both stream reconstruction and visual inspection reveals that two cases (tests) are run against the imap service. In the first test case a connection is made to the imap server and it is then is queried for its "capabilities", then nessus blindly attempts to exploit the imap server. The imap server responds with a bad command response. It should also be noted that no overflow is logged by the stackgaurded imapd binary on the target host. In the second case, a connection is made to the imap server and it is then queried for its "capabilities". Nessus does not attempt to exploit the imaps server in this case and simply reports that the imap server is vulnerable. No overflow is logged. Finally, it should be noted that in the nessus generated report, that both reported vulnerabilities are caveated by the face that nesses looks at the banners only in determining that these vulnerabilities exist. Since Sun Cobalt patches do not increment the banner revision levels, nessus reports these as false positives. Thanks, Mark.
-- Charles Smith, CISSP, CCSE Sun Linux Security Engineering Group Sun Microsystems Tel: 614-273-3255 (x57055) Fax: 614-273-3291 This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy.
timestamps|||scan_start|Wed Dec 18 11:23:03 2002 <|> SERVER| timestamps||sustaining5.central.sun.com|host_start|Wed Dec 18 11:23:04 2002| results|sustaining5.central.sun|sustaining5.central.sun.com|ftp (21/tcp) results|sustaining5.central.sun|sustaining5.central.sun.com|telnet (23/tcp) results|sustaining5.central.sun|sustaining5.central.sun.com|smtp (25/tcp) results|sustaining5.central.sun|sustaining5.central.sun.com|http (80/tcp) results|sustaining5.central.sun|sustaining5.central.sun.com|unknown (81/tcp) results|sustaining5.central.sun|sustaining5.central.sun.com|pop3 (110/tcp) results|sustaining5.central.sun|sustaining5.central.sun.com|imap (143/tcp) results|sustaining5.central.sun|sustaining5.central.sun.com|https (443/tcp) results|sustaining5.central.sun|sustaining5.central.sun.com|snpp (444/tcp) results|sustaining5.central.sun|sustaining5.central.sun.com|general/tcp|10336|Security Note|Nmap found that this host is running Linux 2.1.19 - 2.2.19\n results|sustaining5.central.sun|sustaining5.central.sun.com|ftp (21/tcp)|10330|Security Note|An FTP server is running on this port.\nHere is its banner : \n220 ProFTPD 1.2.5 Server (ProFTPD) [sustaining5.central.sun.com]\r results|sustaining5.central.sun|sustaining5.central.sun.com|telnet (23/tcp)|10330|Security Note|A telnet server seems to be running on this port results|sustaining5.central.sun|sustaining5.central.sun.com|smtp (25/tcp)|10330|Security Note|An SMTP server is running on this port\nHere is its banner : \n220 sustaining5.central.sun.com ESMTP Sendmail 8.10.2/8.10.2; Wed, 18 Dec 2002 11:24:56 -0500\r results|sustaining5.central.sun|sustaining5.central.sun.com|http (80/tcp)|10330|Security Note|A web server is running on this port results|sustaining5.central.sun|sustaining5.central.sun.com|unknown (81/tcp)|10330|Security Note|A TLSv1 server answered on this port\n results|sustaining5.central.sun|sustaining5.central.sun.com|unknown (81/tcp)|10330|Security Note|A web server is running on this port through SSL results|sustaining5.central.sun|sustaining5.central.sun.com|pop3 (110/tcp)|10330|Security Note|A pop3 server is running on this port results|sustaining5.central.sun|sustaining5.central.sun.com|imap (143/tcp)|10330|Security Note|An IMAP server is running on this port results|sustaining5.central.sun|sustaining5.central.sun.com|https (443/tcp)|10330|Security Note|A TLSv1 server answered on this port\n results|sustaining5.central.sun|sustaining5.central.sun.com|https (443/tcp)|10330|Security Note|A web server is running on this port through SSL results|sustaining5.central.sun|sustaining5.central.sun.com|snpp (444/tcp)|10330|Security Note|A web server is running on this port results|sustaining5.central.sun|sustaining5.central.sun.com|imap (143/tcp)|10966|Security Hole|\nThere is a buffer overflow in the remote imap server \nwhich allows an authenticated user to obtain a remote\nshell.\n\nBy supplying an overly long tag the the BODY command,\nan attacker may gain a shell on this host.\n\n*** Nessus reports this vulnerability using only\n*** information that was gathered. Use caution\n*** when testing without safe checks enabled.\n\nSolution : Upgrade to imap-2001a\nRisk factor : Serious\nCVE : CAN-2002-0379\n results|sustaining5.central.sun|sustaining5.central.sun.com|imap (143/tcp)|10625|Security Hole|\nThe remote UW-IMAP server seems to be vulnerable to various\nbuffer overflow which allow an authenticated user to gain\na shell on this host.\n\nAn attacker may use this flaw to escalate his privileges.\n\n*** Nessus solely relied on the server banner to \n*** issue this warning.\n\nSolution : Upgrade to the latest version of UW-IMAP\nRisk factor : High\nCVE : CAN-1999-1224\n timestamps||sustaining5.central.sun.com|host_end|Wed Dec 18 11:27:13 2002| timestamps|||scan_end|Wed Dec 18 11:27:13 2002 <|> SERVER|
Attachment:
nessus_imapd_trace
Description: application/java-vm