CVE-2006-5487
Marshal MailMarshal ARJ Extraction Directory Traversal Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Directory traversal vulnerability in Marshal MailMarshal SMTP 5.x, 6.x, and 2006, and MailMarshal for Exchange 5.x, allows remote attackers to write arbitrary files via ".." sequences in filenames in an ARJ compressed archive.
Vulnerabilidad de salto de directorio en el Marshal MailMarshal SMTP 5.x, 6.x, y 2006, y MailMarshal para Exchange 5.x, permite a atacantes remotos escribir ficheros de su elección mediante secuencias ".." en los nombres de fichero de un archivo comprimido ARJ.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Marshal MailMarshal (formerly of NetIQ). Authentication is not required to exploit this vulnerability.
The specific flaw exists within the extraction and scanning of ARJ compressed attachments. Due to incorrect sandboxing of extracted filenames that contain directory traversal modifiers such as "../", an attacker can cause an executable to be created in an arbitrary location.
While currently existing files can not be over written, an attacker may leverage this vulnerability in a number of ways. For example, by placing a malicious binary in the "all users" startup folder.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2006-10-24 CVE Reserved
- 2006-11-10 CVE Published
- 2023-10-22 EPSS Updated
- 2024-08-07 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| http://securityreason.com/securityalert/1857 | Third Party Advisory | |
| http://securitytracker.com/id?1017209 | Vdb Entry | |
| http://www.securityfocus.com/archive/1/451143/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/bid/20999 | Vdb Entry | |
| http://www.vupen.com/english/advisories/2006/4457 | Vdb Entry | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/30188 | Vdb Entry |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.marshal.com/kb/article.aspx?id=11450 | 2018-10-17 | |
| http://www.zerodayinitiative.com/advisories/ZDI-06-039.html | 2018-10-17 |
| URL | Date | SRC |
|---|---|---|
| http://secunia.com/advisories/22806 | 2018-10-17 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Marshal Search vendor "Marshal" | Mailmarshal Smtp Search vendor "Marshal" for product "Mailmarshal Smtp" | 5.0 Search vendor "Marshal" for product "Mailmarshal Smtp" and version "5.0" | - |
Affected
| ||||||
| Marshal Search vendor "Marshal" | Mailmarshal Smtp Search vendor "Marshal" for product "Mailmarshal Smtp" | 6.0 Search vendor "Marshal" for product "Mailmarshal Smtp" and version "6.0" | - |
Affected
| ||||||
| Marshal Search vendor "Marshal" | Mailmarshal Smtp Search vendor "Marshal" for product "Mailmarshal Smtp" | 2006 Search vendor "Marshal" for product "Mailmarshal Smtp" and version "2006" | - |
Affected
| ||||||