602Pro LAN Suite Discloses Files on the System to Remote Authenticated Users
|
|
SecurityTracker Alert ID: 1007812
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 25 2003
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 2003.0.3.0828
|
Description: Phuong Nguyen reported several vulnerabilities in 602Pro LAN Suite. A remote authenticated user can view arbitrary files on the target system. A remote authenticated user can also obtain information about WebMail users.
It is reported that the software does not properly validate 'GetFile' requests. A remote authenticated WebMail user can invoke m602cl3w.exe
with the GetFile option to view arbitrary files on the system with the privileges of the web server. Files that can be read include
the e-mail of other users on the system.
A demonstration exploit URL is provided:
http://[target]/mail/m602cl3w.exe?A=GetFile&U=7921604D7A587937986E24242C0588&DL=0&
FN=../../../boot.ini
In the above demonstration exploit URL, the "U" character represents the remote authenticated user's ID.
It
is also reported that a remote authenticated user can view temporary folders and files that include information about current users
on the system by accessing the '/mail/' directory on the WebMail interface. The 'Tempdirs.lst' file contains a list of temporary
folder names. Each temporary folder reportedly contains the 'MSGlist.mid' file, listing message IDs for the target user, and the
'MSGlist.mil' file, listing the username and mailbox number for the target user. A remote authenticated user can also view log
files with the following type of URL (where the log file name is based on the date [yy-mm-dd]:
http://[target]/mail/S030904L.LOG
|
Impact: A remote authenticated user can read arbitrary files on the system (including other users' e-mail messages) with the privileges of
the web server process.
A remote authenticated user can view information about users on the system, including usernames, mailbox
names, and e-mail message IDs.
|
Solution: The vendor has released a patch, available at:
http://download3.software602.com/ls2003.exe
|
Vendor URL: www.software602.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (Any)
|
Underlying OS Comments: Tested on Windows 2000 and Windows XP Pro
|
Reported By: Phuong Nguyen <dphuong@yahoo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 24 Sep 2003 19:07:45 -0700 (PDT)
From: Phuong Nguyen <dphuong@yahoo.com>
Subject: 602Pro Lansuite 2003 - Multiple Vulnerabilities
|
TITLE
=====
602Pro Lansuite 2003 - Multiple Vulnerabilities
DESCRIPTION
===========
“602Pro LAN SUITE is an easy-to-install and manage
all-in-one server application. Its standards-based
SMTP/POP3 e-mail server provides effective e-mail
communication without the risk of destructive virus
infiltration and productivity robbing unsolicited
e-mail. Fax services seamlessly integrate into user
mailboxes to unify e-mail and fax message access.”
More information at http://www.software602.com
PROBLEMS
=========
Version : 602PRO LanSuite 2003, build 2003.0.3.0828
(latest build)
Tested Platform : Windows (2K/XP Pro)
Multiple vulnerabilities in the LanSuite 2003 software
(WebMail interface) which could allow attackers to
view
sensitive information about the users (Mailbox number,
Message ID, Login Time etc...) and read any file on
the server.
DETAILS
=======
[Vulnerability #1] Sensitive Files Exposure
When a user logins to LanSuite 2003 WebMail server,
m602cl3w.exe will create a temporary file and folder
holding sensitive information about the current user
and they are accessible through the LanSuite WebMail
interface http://www.victim.com/mail/. Tempdirs.lst
file holds the temporary folder name of current users.
The temporary folder contains two files named
MSGlist.mid and MSGlist.mil. Messages ID are written
to MSGlist.mid file. The username and mailbox number
are written to MSGlist.mil.
Log files are also accessible by anyone at:
http://www.victim.com/mail/S030904L.LOG (YY/MM/DD).
Attacker might gain sensitive information of username,
user's IPs, login time etc... This information could
be useful to assist in further exploit once they
obtained the file.
[Vulnerability #2] Arbitrary File Reading [required
valid user credential]
Malicious user can read any file on the server if they
have a valid LanSuite WebMail username and password.
M602cl3w.exe does check for dot-dot-slash most of the
time but not when the action "GetFile" is used. For
example, a malicious user can read the boot.ini file
by sending a request like this:
http://www.victim.com/mail/m602cl3w.exe?A=GetFile&U=7921604D7A587937986E24242C0588&DL=0&F
N=../../../boot.ini
where "U" is the current user handle’s string.
Malicious users can also read other user's mails by
using the information they got from exploiting the
vulnerability #1.
For example:
http://www.victim.com/mail/m602cl3w.exe?A=GetFile&U=7921604D7A587937986E24242C0588&DL=0&F
N=../../mboxes/605e5d4d/2f2284fd.dat
VENDOR STATUS
==============
You can obatain the patch to fix those vulnerabilities
above at http://download3.software602.com/ls2003.exe
Phuong Nguyen
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
|
|
