[Darklab] Back to old school ?

[casek]

Hey everybody,

Ok so i have the honor to start the fisrt thread of this new year :)
While auditing differents imapd implementations i was pretty surprised
by the SELECT command which allow you to select the mailbox you want.
>From the implementation i was testing at this moment (confirmed later
when i was reading the rfcs) it's possible to make the imap server 
connecting to others to read remotes mailboxes. Imho from a security 
point of view it's really horrible. So chaining imap servers is possible 
or maybe scanning hosts with the SELECT command (1 SELECT "{ip:port}").

It just make us remember old school ftp bounce scanning... long time ago.
I just did a quick poc yesterday (but multi threaded and taking care of
the number of connections made.. for logs). The interesting part is not
using a imap server to scann host over internet.. but much more if you
are in the case of a shared imap server between a corporate net and inet.
In this case you would be able to scan the corpo net from inet.
All you need is an imap account on the target box. The tool i did 
can just tell you if the scanned host have ports closed or open/filtered.
Just few lines of code more and you would be able to interpret imapd 
aswers to see if the port is effectively open of just "no answer"/filtered.

I didn't found anything around it on google... i'm sure a lot of people
already thougth about using imap or others protocols for differents usages
that the "normals" ones. Is somebody know this kind of old stuff ?
Is somebody already worked on "chained" imap connections ?

You can find the poc here:
hxxp://uberwall.org/releases/UWloveimap.tgz
It was coded on freebsd but it is compilable without too much warnings on linux.
 
Cheerz and all the best for this new year.

Regards,
csk

-- 
/* csk <casek at uberwall.org> 11D3A9C2 */