pop3 and imap tls plaintext command injection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
courier (Debian) |
Confirmed
|
Unknown
|
|||
courier (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
This issue is related to courier-imap and courier-pop with TLS installed from the repositories on Ubuntu 12.10; the installed versions are 4.9.1-1ubuntu4 for IMAP and 0.66.1-ubuntu4 for POP3.
After running a Nessus scan, the following vulnerabilities were listed related to courier-imap and courier-pop: IMAP Service STARTTLS Plaintext Command Injection and POP3 Service STLS Plaintext Command Injection. More information about the Nessus results themselves can be found at http://
Specifically, I downloaded the source for openssl-1.0.0d (http://
Line 1135 (for POP3)
- BIO_printf(
+ BIO_printf(sbio, "STLS\r\
Line 1162 (for IMAP)
- BIO_printf(sbio,". STARTTLS\r\n");
+ BIO_printf(sbio,". STARTTLS\
I then ran "apps/openssl s_client -starttls imap -connect SERVER:143" and the following was returned, note that I have added the BEGIN OUTPUT and END OUTPUT lines for clarity:
###BEGIN OUTPUT###
CONNECTED(00000003)
CERTIFICATE INFO REMOVED
---
No client certificate CA names sent
---
SSL handshake has read 4386 bytes and written 574 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: A611E8DC00202F3
Session-ID-ctx:
Master-Key: 4C89974198BDEEE
Key-Arg : None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 0d c2 4d 88 43 41 bd ab-7c 6f a0 f1 77 aa 0e 72 ..M.CA..|o..w..r
0010 - 48 61 94 27 ea db 3b b4-af 65 46 b0 01 9d 0d 32 Ha.'..;..eF....2
0020 - df d9 b6 e9 e5 bd 90 83-96 b5 e1 aa b2 9f 25 ea ..............%.
0030 - 68 3c a9 d1 34 c6 49 22-78 3a 8f 53 77 4a cd 63 h<..4.I"x:.SwJ.c
0040 - a2 d8 ed 7a bf 38 6c a9-54 be 5d 34 43 24 ef 1e ...z.8l.T.]4C$..
0050 - a2 c7 0a 5e 76 82 19 24-5e 76 f1 c2 5a 44 88 b0 ...^v..$^v..ZD..
0060 - ec f1 66 81 73 18 7e eb-c8 db 3b 60 f6 f1 c6 7d ..f.s.~...;`...}
0070 - c5 ba 4e c6 84 8c 6b 52-d9 c0 a6 ca cd 09 1a c2 ..N...kR........
0080 - c8 70 54 5f be dd b4 d3-c3 43 97 ef c6 28 38 9f .pT_.....C...(8.
0090 - 48 90 e5 d9 16 70 8e 9f-63 59 b5 9b 39 8e 16 1f H....p..cY..9...
Start Time: 1372193468
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
. OK CAPABILITY completed
* CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=
CAPABILITY OK CAPABILITY completed
###END OUTPUT###
The lines after ". OK CAPABILITY completed" do not appear when using an unmodified version of OpenSSL.
I also ran "apps/openssl s_client -starttls pop3 -connect SERVER:110" which returned the following:
###BEGIN OUTPUT###
CONNECTED(00000003)
CERTIFICATE INFORMATION REMOVED
---
No client certificate CA names sent
---
SSL handshake has read 4003 bytes and written 548 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: AAA8F67BC4C74C4
Session-ID-ctx:
Master-Key: 0BCDC54221B3B96
Key-Arg : None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 40 73 72 79 2c a8 4d 93-e6 29 9a 44 5a 4a 14 6f @sry,.M..).DZJ.o
0010 - b5 11 4c 8b bc a3 2d 09-51 d8 7d c0 35 d1 ed 31 ..L...-.Q.}.5..1
0020 - b9 21 6a 7d 6b 84 25 05-e6 c7 83 92 20 08 33 e6 .!j}k.%..... .3.
0030 - 6a 09 5f c6 c6 be 0c c6-86 0d 38 bd 65 b1 b6 80 j._.......8.e...
0040 - e8 44 3e 7b de 39 85 09-3a e7 34 84 de 92 d9 4c .D>{.9..:.4....L
0050 - 83 05 ec 7a e8 8b 16 d7-60 7b b9 f2 16 41 52 04 ...z....`{...AR.
0060 - 10 5d 43 49 ad c6 47 91-47 ec 4e ab ee 6d 00 54 .]CI..G.G.N..m.T
0070 - 6a 07 66 f2 64 03 2f e9-7a 3c 89 0c af 82 2f 14 j.f.d./.z<..../.
0080 - f8 cd 8f 8e 1c 85 65 ba-29 52 cb ff e9 40 ad 09 ......e.)R...@..
0090 - b0 c6 71 f3 82 22 d4 71-6c ef 71 8c 7f c5 64 6a ..q..".ql.q...dj
Start Time: 1372193706
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
+OK Hello there.
+OK Here's what I can do:
TOP
USER
LOGIN-DELAY 10
PIPELINING
UIDL
IMPLEMENTATION Courier Mail Server
.
###END OUTPUT###
The lines after "+OK Hello there." do no appear when using an unmodified version of OpenSSL.
It appears that that the read stream/buffer is not replaced or flushed when the TLS session begins and remaining plaintext commands are executed.
I noticed the lines in the output about self signed certificates in the chain and tried STARTTLS/STLS after I was connected but was returned an error consistent with a TLS session already existing.
I've scoured the internet searching for some mention or solution to this issue. The only thing I've found that directly addresses this issue is a page on the Parallels' forums (http://
I asked about this in the Answers section and was directed to file a bug report.
CVE References
tags: | added: security |
tags: | added: quantal |
Changed in courier (Debian): | |
status: | Unknown → Confirmed |
I was just able to reproduce this flaw with courier 0.66.1-1ubuntu4.
There was a discussion on this issue on the courier mailing list providing some good insights:
http:// sourceforge. net/p/courier/ mailman/ message/ 31522221/
If I understand that thread right this bug can be set to low importance or even be closed.