[Secure-testing-team] Bug#880222: courier-imap: couriertcpd running as root while listening on port 143

Lucio Crusca lucio at sulweb.org
Mon Oct 30 18:19:02 UTC 2017 

Package: courier-imap
Version: 4.17.2+0.76.3-5
Severity: grave
Tags: security
Justification: user security hole

Dear Marcus,

couriertcpd runs as root instead of the courier user for IMAP connections. 
I've not found (nor looked for) any exploit, but I think running as root while listening on a network socket is a security risk of its own.

Please have a look here: https://sourceforge.net/p/courier/mailman/message/36096805/

-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (990, 'stable'), (600, 'unstable'), (400, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages courier-imap depends on:
ii  courier-authlib                     0.66.4-9
ii  courier-base                        0.76.3-5
ii  courier-mta [mail-transport-agent]  0.76.3-5
ii  debconf [debconf-2.0]               1.5.61
ii  init-system-helpers                 1.48
ii  libc6                               2.24-11+deb9u1
ii  libcourier-unicode1                 1.4-3+b1
ii  libgamin0 [libfam0]                 0.1.10-5+b1
ii  libgdbm3                            1.8.3-14
ii  libidn11                            1.33-1
ii  sysvinit-utils                      2.88dsf-59.9

courier-imap recommends no packages.

Versions of packages courier-imap suggests:
ii  courier-doc  0.76.3-5
pn  imap-client  <none>

-- Configuration Files:
/etc/courier/imapd changed:
ADDRESS=0
PORT=143
MAXDAEMONS=120
MAXPERIP=200
PIDFILE=/run/courier/imapd.pid
TCPDOPTS="-nodnslookup -noidentlookup"
IMAPACCESSFILE=/etc/courier/imapaccess
LOGGEROPTS="-name=imapd"
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE"
IMAP_KEYWORDS=1
IMAP_ACL=1
IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"
IMAP_PROXY=0
IMAP_PROXY_FOREIGN=0
IMAP_IDLE_TIMEOUT=60
IMAP_MAILBOX_SANITY_CHECK=1
IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN"
IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN"
IMAP_DISABLETHREADSORT=0
IMAP_CHECK_ALL_FOLDERS=0
IMAP_OBSOLETE_CLIENT=0
IMAP_UMASK=022
IMAP_ULIMITD=131072
IMAP_USELOCKS=1
IMAP_SHAREDINDEXFILE=/etc/courier/shared/index
IMAP_ENHANCEDIDLE=0
IMAP_TRASHFOLDERNAME=Trash
IMAP_EMPTYTRASH=Trash:7
IMAP_MOVE_EXPUNGE_TO_TRASH=0
SENDMAIL=/usr/sbin/sendmail
HEADERFROM=X-IMAP-Sender
IMAPDSTART=YES
MAILDIRPATH=Maildir

/etc/courier/imapd-ssl changed:
SSLPORT=993
SSLADDRESS=0
SSLPIDFILE=/run/courier/imapd-ssl.pid
SSLLOGGEROPTS="-name=imapd-ssl"
IMAPDSSLSTART=YES
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=0
COURIERTLS=/usr/bin/couriertls
TLS_CIPHER_LIST="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES128-SHA:DES-CBC3-SHA"
TLS_CERTFILE=/etc/courier/imapd.pem
TLS_DHPARAMS=/etc/courier/dhparams.pem
TLS_TRUSTCERTS=/etc/ssl/cert.pem
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/var/lib/courier/couriersslcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir

/etc/courier/imapd.cnf [Errno 13] Permission denied: '/etc/courier/imapd.cnf'

-- no debconf information

More information about the Secure-testing-team mailing list