A segmentation fault due to a null pointer dereference has been found in the IMAP STATUS command handling component. The error occurs when mailimap_mailbox_data_status_free in low-level/imap/mailimap_types.c when it tries to free st_info_list of mb_data_status. The segmentation fault is triggered when an invalid STATUS response is received. This can at least lead to a Denial Of Service.
I have attached a ZIP file, which contains files needed for reproduction.
How to reproduce
See reproduction_logs.txt in ZIP on how to reproduce.
Expected output:
dummy@dummy-mars:~/VResearch/$ LD_LIBRARY_PATH=$LD_LIBRARY_PATH:libetpan/src/.libs/ ./sender abc abc
connect: 2
Building structure list
Sending STATUS ..
Segmentation fault (core dumped)
Explanation of Vulnerability
The null pointer dereference occurs when the mailimap_mailbox_data_status structure in mailimap_mailbox_data_status_free is trying to be freed and the info->st_info_list contains a NULL pointer/is NULL.
* STATUS "RUU" ()
When the STATUS response above is received mailimap_mailbox_data_status_parse is called. mailimap_mailbox_data_status_parse will call mailimap_struct_spaced_list_parse. Due to invalid info fields in STATUS response, mailimap_struct_spaced_list_parse will return a MAILIMAP_ERROR_PARSE (code 5). With info fields, I am referring to the information fields that should be included inside the parentheses.
mailimap_mailbox_data_status_new will then not check whether st_info_list is NULL and add to mb_data_status. Below is the snippet of mailimap_mailbox_data_status_new.
Later, when mailimap_mailbox_data_status_free is called to attempt to free the built-up structures, the function does not check whether st_info_list is valid and passes it to clist_foreach. Below are snippets of clist_foreach and clist_begin to illustrate the issue. If a NULL pointer is passed down, this will lead to a segmentation fault.
The simplest fix I could come up with in a short time period was to check inside mailimap_mailbox_data_status_new whether st_info_list is NULL. If yes, return NULL. See below:
The above change leaves memleak for mb_data_status, so I think the above change needs fixing.
Instead, how about just adding null-check in mailimap_mailbox_data_status_free ?
IMAP STATUS Command Null Pointer Dereference
A segmentation fault due to a null pointer dereference has been found in the IMAP STATUS command handling component. The error occurs when
mailimap_mailbox_data_status_freein low-level/imap/mailimap_types.c when it tries to freest_info_listofmb_data_status. The segmentation fault is triggered when an invalidSTATUSresponse is received. This can at least lead to a Denial Of Service.I have attached a ZIP file, which contains files needed for reproduction.
How to reproduce
See
reproduction_logs.txtin ZIP on how to reproduce.Expected output:
Explanation of Vulnerability
The null pointer dereference occurs when the
mailimap_mailbox_data_statusstructure inmailimap_mailbox_data_status_freeis trying to be freed and theinfo->st_info_listcontains a NULL pointer/is NULL.When the
STATUSresponse above is receivedmailimap_mailbox_data_status_parseis called.mailimap_mailbox_data_status_parsewill callmailimap_struct_spaced_list_parse. Due to invalid info fields inSTATUSresponse,mailimap_struct_spaced_list_parsewill return aMAILIMAP_ERROR_PARSE (code 5). With info fields, I am referring to the information fields that should be included inside the parentheses.mailimap_mailbox_data_status_parsedoes not stop execution when aMAILIMAP_ERROR_PARSEis received. Instead, it will continue and callmailimap_mailbox_data_status_newpassing down thestatus_info_listagain, which is NULL. See https://github.com/dinhvh/libetpan/blob/master/src/low-level/imap/mailimap_parser.c#L6613 for theMAILIMAP_ERROR_PARSEcheck.mailimap_mailbox_data_status_newwill then not check whetherst_info_listis NULL and add tomb_data_status. Below is the snippet ofmailimap_mailbox_data_status_new.Later, when
mailimap_mailbox_data_status_freeis called to attempt to free the built-up structures, the function does not check whetherst_info_listis valid and passes it toclist_foreach. Below are snippets ofclist_foreachandclist_beginto illustrate the issue. If a NULL pointer is passed down, this will lead to a segmentation fault.Simplest Fix
The simplest fix I could come up with in a short time period was to check inside
mailimap_mailbox_data_status_newwhetherst_info_listis NULL. If yes, return NULL. See below:Happy to discuss further and helping in fixing this vulnerability!
PoC-NullPtrDeref-STATUS.zip
The text was updated successfully, but these errors were encountered: