ID CVE-2008-1218
Summary Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the skip_password_check field to be specified.
References
Vulnerable Configurations
  • cpe:2.3:a:dovecot:dovecot:1.0.12
    cpe:2.3:a:dovecot:dovecot:1.0.12
  • cpe:2.3:a:dovecot:dovecot:1.1:rc2
    cpe:2.3:a:dovecot:dovecot:1.1:rc2
CVSS
Base: 6.8 (as of 11-03-2008 - 16:42)
Impact:
Exploitability:
CWE CWE-255
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description Dovecot IMAP 1.0.10. CVE-2008-1218. Remote exploits for multiple platform
file exploits/multiple/remote/5257.py
id EDB-ID:5257
last seen 2016-01-31
modified 2008-03-14
platform multiple
port
published 2008-03-14
reporter kingcope
source https://www.exploit-db.com/download/5257/
title Dovecot IMAP 1.0.10 <= 1.1rc2 - Remote Email Disclosure Exploit
type remote
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_DOVECOT-5647.NASL
    description When configured with 'mail_extra_groups' dovecot potentially allowed users to read mail boxes of other users. This is not the case in the default configuration of on openSUSE (CVE-2008-1199). By using tab characters in passwords remote attackers could potentially acquire unauthorized access (CVE-2008-1218). Flaws in caching LDAP data could lead to users getting logged in with the wrong account (CVE-2007-6598).
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 34320
    published 2008-10-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34320
    title openSUSE 10 Security Update : dovecot (dovecot-5647)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-2464.NASL
    description This update upgrades dovecot from version 1.0.10 to 1.0.13. Besides bug fixes, two security issues were fixed upstream in version 1.0.11 and 1.0.13. CVE-2008-1199 If Dovecot was configured with mail_extra_groups = mail, users having shell access to IMAP server could use this flaw to read, modify or delete mails of other users stored in inbox files in /var/mail. /var/mail directory is mail-group writable and user inbox files are by default created by useradd with permission 660, :mail. No mail_extra_groups is set by default, hence default Fedora configuration was not affected by this problem. If your configuration sets mail_extra_groups, see new options mail_privileged_group and mail_access_groups introduced in Dovecot 1.0.11. (mail_extra_groups is still accepted, but is deprecated now) CVE-2008-1218 On Dovecot versions 1.0.11 and newer, it was possible to gain password-less login via passwords with tab characters, which were not filtered properly. Dovecot versions in Fedora were not affected by this unauthorized login flaw, but only by a related minor memory leak in dovecot-auth worker process. See referenced bugzilla for further details about this flaw. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 31434
    published 2008-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31434
    title Fedora 8 : dovecot-1.0.13-6.fc8 (2008-2464)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200803-25.NASL
    description The remote host is affected by the vulnerability described in GLSA-200803-25 (Dovecot: Multiple vulnerabilities) Dovecot uses the group configured via the 'mail_extra_groups' setting, which should be used to create lockfiles in the /var/mail directory, when accessing arbitrary files (CVE-2008-1199). Dovecot does not escape TAB characters in passwords when saving them, which might allow for argument injection in blocking passdbs such as MySQL, PAM or shadow (CVE-2008-1218). Impact : Remote attackers can exploit the first vulnerability to disclose sensitive data, such as the mail of other users, or modify files or directories that are writable by group via a symlink attack. Please note that the 'mail_extra_groups' setting is set to the 'mail' group by default when the 'mbox' USE flag is enabled. The second vulnerability can be abused to inject arguments for internal fields. No exploitation vectors are known for this vulnerability that affect previously stable versions of Dovecot in Gentoo. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 31612
    published 2008-03-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31612
    title GLSA-200803-25 : Dovecot: Multiple vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-2475.NASL
    description This update upgrades dovecot from version 1.0.10 to 1.0.13. Besides bug fixes, two security issues were fixed upstream in version 1.0.11 and 1.0.13. CVE-2008-1199 If Dovecot was configured with mail_extra_groups = mail, users having shell access to IMAP server could use this flaw to read, modify or delete mails of other users stored in inbox files in /var/mail. /var/mail directory is mail-group writable and user inbox files are by default created by useradd with permission 660, :mail. No mail_extra_groups is set by default, hence default Fedora configuration was not affected by this problem. If your configuration sets mail_extra_groups, see new options mail_privileged_group and mail_access_groups introduced in Dovecot 1.0.11. (mail_extra_groups is still accepted, but is deprecated now) CVE-2008-1218 On Dovecot versions 1.0.11 and newer, it was possible to gain password-less login via passwords with tab characters, which were not filtered properly. Dovecot versions in Fedora were not affected by this unauthorized login flaw, but only by a related minor memory leak in dovecot-auth worker process. See referenced bugzilla for further details about this flaw. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 31436
    published 2008-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31436
    title Fedora 7 : dovecot-1.0.13-18.fc7 (2008-2475)
  • NASL family Misc.
    NASL id DOVECOT_AUTH_BYPASS.NASL
    description The remote host is running Dovecot, an open source IMAP4 / POP3 server for Linux / Unix. The version of Dovecot installed on the remote host uses a TAB character as a delimiter internally but fails to escape them when they appear in a password. Provided Dovecot is configured to use a blocking passdb, an attacker can leverage this issue to bypass authentication and gain access to a user's mailbox.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 31466
    published 2008-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31466
    title Dovecot passdbs Argument Injection Authentication Bypass
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-593-1.NASL
    description It was discovered that the default configuration of dovecot could allow access to any email files with group 'mail' without verifying that a user had valid rights. An attacker able to create symlinks in their mail directory could exploit this to read or delete another user's email. (CVE-2008-1199) By default, dovecot passed special characters to the underlying authentication systems. While Ubuntu releases of dovecot are not known to be vulnerable, the authentication routine was proactively improved to avoid potential future problems. (CVE-2008-1218). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 31701
    published 2008-03-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31701
    title Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : dovecot vulnerabilities (USN-593-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1516.NASL
    description Prior to this update, the default configuration for Dovecot used by Debian runs the server daemons with group mail privileges. This means that users with write access to their mail directory on the server (for example, through an SSH login) could read and also delete via a symbolic link mailboxes owned by other users for which they do not have direct access (CVE-2008-1199 ). In addition, an internal interpretation conflict in password handling has been addressed proactively, even though it is not known to be exploitable (CVE-2008-1218 ). Note that applying this update requires manual action: The configuration setting 'mail_extra_groups = mail' has been replaced with 'mail_privileged_group = mail'. The update will show a configuration file conflict in /etc/dovecot/dovecot.conf. It is recommended that you keep the currently installed configuration file, and change the affected line. For your reference, the sample configuration (without your local changes) will have been written to /etc/dovecot/dovecot.conf.dpkg-new. If your current configuration uses mail_extra_groups with a value different from 'mail', you may have to resort to themail_access_groups configuration directive.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 31587
    published 2008-03-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31587
    title Debian DSA-1516-1 : dovecot - privilege escalation
packetstorm via4
data source https://packetstormsecurity.com/files/download/64608/dovecot-disclose.txt
id PACKETSTORM:64608
last seen 2016-12-05
published 2008-03-15
reporter Kingcope
source https://packetstormsecurity.com/files/64608/dovecot-disclose.txt.html
title dovecot-disclose.txt
refmap via4
bid 28181
bugtraq 20080312 rPSA-2008-0108-1 dovecot
confirm https://issues.rpath.com/browse/RPL-2341
debian DSA-1516
exploit-db 5257
fedora
  • FEDORA-2008-2464
  • FEDORA-2008-2475
gentoo GLSA-200803-25
misc http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108
mlist
  • [Dovecot-news] 20080309 Security hole #6: Some passdbs allowed users to log in without a valid password
  • [Dovecot-news] 20080309 v1.0.13 and v1.1.rc3 released
secunia
  • 29226
  • 29295
  • 29364
  • 29385
  • 29396
  • 29557
  • 32151
suse SUSE-SR:2008:020
ubuntu USN-593-1
xf dovecot-tab-authentication-bypass(41085)
statements via4
contributor Joshua Bressers
lastmodified 2008-03-12
organization Red Hat
statement Not vulnerable. This issue did not affect versions of Dovecot as shipped with Red Hat Enterprise Linux 4 or 5.
Last major update 07-03-2011 - 22:06
Published 10-03-2008 - 19:44
Last modified 11-10-2018 - 16:30
Back to Top