pop3 and imap tls plaintext command injection

This issue is related to courier-imap and courier-pop with TLS installed from the repositories on Ubuntu 12.10; the installed versions are 4.9.1-1ubuntu4 for IMAP and 0.66.1-ubuntu4 for POP3.

After running a Nessus scan, the following vulnerabilities were listed related to courier-imap and courier-pop: IMAP Service STARTTLS Plaintext Command Injection and POP3 Service STLS Plaintext Command Injection. More information about the Nessus results themselves can be found at http://www.tenable.com/plugins/index.php?view=single&id=52609 and http://www.tenable.com/plugins/index.php?view=single&id=52610. The CVEs referenced at those links only seem to indicate that the problem existed in Postifx; however, following the instructions at http://www.postfix.org/CVE-2011-0411.html to modify OpenSSL produces similar results for Courier-imap/pop3.

Specifically, I downloaded the source for openssl-1.0.0d (http://www.openssl.org/source/openssl-1.0.0d.tar.gz) and made the following changes to apps/s_client.c:

    Line 1135 (for POP3)
    - BIO_printf(sbio,"STLS\r\n");
    + BIO_printf(sbio, "STLS\r\nCAPA\r\n");

    Line 1162 (for IMAP)
    - BIO_printf(sbio,". STARTTLS\r\n");
    + BIO_printf(sbio,". STARTTLS\r\n\CAPABILITY\r\n");

I then ran "apps/openssl s_client -starttls imap -connect SERVER:143" and the following was returned, note that I have added the BEGIN OUTPUT and END OUTPUT lines for clarity:

###BEGIN OUTPUT###
CONNECTED(00000003)
CERTIFICATE INFO REMOVED
---
No client certificate CA names sent
---
SSL handshake has read 4386 bytes and written 574 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol : TLSv1
    Cipher : AES256-SHA
    Session-ID: A611E8DC00202F3FF9743F8E0496E39115460895A5B0DCF0CAED5E5717D9C152
    Session-ID-ctx:
    Master-Key: 4C89974198BDEEEDE387531AC371679086953923A08FB828D8DBCD977F7392D4C9627222E91591FF4C4F6FBD8201BBE8
    Key-Arg : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 0d c2 4d 88 43 41 bd ab-7c 6f a0 f1 77 aa 0e 72 ..M.CA..|o..w..r
    0010 - 48 61 94 27 ea db 3b b4-af 65 46 b0 01 9d 0d 32 Ha.'..;..eF....2
    0020 - df d9 b6 e9 e5 bd 90 83-96 b5 e1 aa b2 9f 25 ea ..............%.
    0030 - 68 3c a9 d1 34 c6 49 22-78 3a 8f 53 77 4a cd 63 h<..4.I"x:.SwJ.c
    0040 - a2 d8 ed 7a bf 38 6c a9-54 be 5d 34 43 24 ef 1e ...z.8l.T.]4C$..
    0050 - a2 c7 0a 5e 76 82 19 24-5e 76 f1 c2 5a 44 88 b0 ...^v..$^v..ZD..
    0060 - ec f1 66 81 73 18 7e eb-c8 db 3b 60 f6 f1 c6 7d ..f.s.~...;`...}
    0070 - c5 ba 4e c6 84 8c 6b 52-d9 c0 a6 ca cd 09 1a c2 ..N...kR........
    0080 - c8 70 54 5f be dd b4 d3-c3 43 97 ef c6 28 38 9f .pT_.....C...(8.
    0090 - 48 90 e5 d9 16 70 8e 9f-63 59 b5 9b 39 8e 16 1f H....p..cY..9...

    Start Time: 1372193468
    Timeout : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
. OK CAPABILITY completed
* CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION
CAPABILITY OK CAPABILITY completed
###END OUTPUT###

The lines after ". OK CAPABILITY completed" do not appear when using an unmodified version of OpenSSL.

I also ran "apps/openssl s_client -starttls pop3 -connect SERVER:110" which returned the following:

###BEGIN OUTPUT###
CONNECTED(00000003)
CERTIFICATE INFORMATION REMOVED
---
No client certificate CA names sent
---
SSL handshake has read 4003 bytes and written 548 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol : TLSv1
    Cipher : AES256-SHA
    Session-ID: AAA8F67BC4C74C451173CA106B8391F475391577850B17CDE71F1407476F7D72
    Session-ID-ctx:
    Master-Key: 0BCDC54221B3B96703FC9FCEDCEB951D28250542EAA38A17859B969F704AADDF7EDC499B53C709E29CD2C5CDE152897B
    Key-Arg : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 40 73 72 79 2c a8 4d 93-e6 29 9a 44 5a 4a 14 6f @sry,.M..).DZJ.o
    0010 - b5 11 4c 8b bc a3 2d 09-51 d8 7d c0 35 d1 ed 31 ..L...-.Q.}.5..1
    0020 - b9 21 6a 7d 6b 84 25 05-e6 c7 83 92 20 08 33 e6 .!j}k.%..... .3.
    0030 - 6a 09 5f c6 c6 be 0c c6-86 0d 38 bd 65 b1 b6 80 j._.......8.e...
    0040 - e8 44 3e 7b de 39 85 09-3a e7 34 84 de 92 d9 4c .D>{.9..:.4....L
    0050 - 83 05 ec 7a e8 8b 16 d7-60 7b b9 f2 16 41 52 04 ...z....`{...AR.
    0060 - 10 5d 43 49 ad c6 47 91-47 ec 4e ab ee 6d 00 54 .]CI..G.G.N..m.T
    0070 - 6a 07 66 f2 64 03 2f e9-7a 3c 89 0c af 82 2f 14 j.f.d./.z<..../.
    0080 - f8 cd 8f 8e 1c 85 65 ba-29 52 cb ff e9 40 ad 09 ......e.)R...@..
    0090 - b0 c6 71 f3 82 22 d4 71-6c ef 71 8c 7f c5 64 6a ..q..".ql.q...dj

    Start Time: 1372193706
    Timeout : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
+OK Hello there.
+OK Here's what I can do:
TOP
USER
LOGIN-DELAY 10
PIPELINING
UIDL
IMPLEMENTATION Courier Mail Server
.
###END OUTPUT###

The lines after "+OK Hello there." do no appear when using an unmodified version of OpenSSL.

It appears that that the read stream/buffer is not replaced or flushed when the TLS session begins and remaining plaintext commands are executed.

I noticed the lines in the output about self signed certificates in the chain and tried STARTTLS/STLS after I was connected but was returned an error consistent with a TLS session already existing.

I've scoured the internet searching for some mention or solution to this issue. The only thing I've found that directly addresses this issue is a page on the Parallels' forums (http://forum.parallels.com/showthread.php?112207-Vulnerability-STARTTLS-in-Courier-CVE-2011-0411) and corresponding pataches to the courier implementation in Plesk.

I asked about this in the Answers section and was directed to file a bug report.