OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Niels Heinen (zilli0ngmx.net)
Date: Thu Oct 11 2001 - 17:00:33 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi all,

    Below are vulnerabilities I have found in Imail (Ipswitch.com).
    Some of them can be very dangerous and it is there for recommended
    that Imail users upgrade their software asap.

    After reporting these vulnerabilities to Ipswitch on the 4e of this
    month it only took 7 days before Ipswitch identified and reacted
    on these issues. Fix information can be found at the end of this
    email.

    Cheers,

    Niels Heinen

    Greets to all safemode.org, alldas.de and #hacker_help (!shit ;)

    [ ** Vulnerability 1 -> Email sessions hijacking ** ]

    Mail sessions can be hijacked by using the session ID given to a
    user after authentication. This key can be obtained in several ways:

    - By ending HTML with embedded javascript
    - By sending HTML mail with embedded picture (referrer field)
    - By editing the web interface log file

    As long as the user is still logged in and the session has not
    expired it is possible for attackers to take over his account.
    Exploitation of this vulnerability allow attackers to perform all
    tasks the owner of the hijacked account could perform such as
    deleting, sending and modifying emails. If the account has (Imail)
    admin privileges the possibility exists that the attacker can add
    and remove email addresses and domains. This could lead to a terrible
    dataloss or abuse of the mail server in question.

    [ ** Vulnerability 2 -> Mailbox disclosure ** ]

    It is possible for normal users to gain access to mail boxes from other
    users. They can do this by abusing a directory traversal vulnerability
    in the mailbox variable send to the server:

    http://xx.xx.xx.xx:8383/ session
    id>/readmail.cgi?uid=user1&mbx=../user2/Main

    In the above example 'user1' is viewing the content of the 'Main' mailbox
    of user2. It is also possible to read the mails which are stored in this
    mailbox simply by clicking on them.

    [ ** Vulnerability 3 Attachement information leak ** ]

    Email attachements exposes the entire directory structure of where
    Imail and the spool directory are located. This information leak can be
    very useful for attackers who are footprinting the server in question.

    Example email header:

    From: "XXXXXXXXXXXXXXXX" <XXXXXXXXXXXXXXXXX>
    Reply-To: <XXXXXXXXXXXXXXXX>
    X-Sender: <XXXXXXXXXXXXXXX>
    To: <XXXXXXXXXXXXXXX>
    Subject: Slides
    X-Mailer: <IMail v7.04>
    X-Attachments: f:\Imail\spool\web\file.zip;
    X-Sanitizer: In
    MIME-Version: 1.0
    Content-Type: multipart/mixed; charset="iso-8859-1"
    Content-Transfer-Encoding: 8bit

    [ ** Vulnerability 4 Denial of service attack ** ]

    When trying to open a mailbox which exists out of 248 dots (other
    character might work aswell) the web interface crashes without any
    error message, CPU hogging or any visual alert. Even on the
    administrator application the server will still be marked as running.
    The process still keeps running but it will no longer listen to
    the predefined port (8383).

    This vulnerability can be exploited trough any CGI script used by
    the web interface that invokes a user mailbox (readmail.cgi ,
    printmail.cgi etc).

    [ ** Vulnerability 5 Weak session ID's ** ]

    Session ID's generated for authentication can be predicted by
    analyzing them:

    45: Sesion ID: /Xa20acc929dcecfce93a0afa688
    46: Sesion ID: /Xa20bcc929dcecccb9ba0afa688
    47: Sesion ID: /Xa208cc929dcf9a9c93a0afa688
    48: Sesion ID: /Xa209cc929dcf9b9998a0afa688
    49: Sesion ID: /Xa20ecc929dcf9bcccba0afa688
    50: Sesion ID: /Xa20fcc929dcf98c998a0afa688
    51: Sesion ID: /Xa20ccc929dcf9992c8a0afa688
    52: Sesion ID: /Xa20dcc929dcf9ecbcea0afa688
    53: Sesion ID: /Xa202cc929dcf9f9dcca0afa688
    54: Sesion ID: /Xa203cc929dcf9c9e92a0afa688
    55: Sesion ID: /Xa200cc929dcf9d9b9aa0afa688
    56: Sesion ID: /Xa201cc929dcf9dce92a0afa688
    57: Sesion ID: /Xa206cc929dcf92cb9aa0afa688
    58: Sesion ID: /Xa207cc929dcf939c93a0afa688
    59: Sesion ID: /Xa204cc929dcfcb999ba0afa688
    60: Sesion ID: /Xa205cc929dcfcbcc93a0afa688

    By using calculated session keys for authentication it is possible for
    attackers
    to gain access to accounts without knowing usernames or password.

    [ ** Counter these vulnerabilities ** ]

    Vulnerability 2 and 4 can be countered by using the hotfix released by
    Ipswitch
    ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe

    More information about this update can be found on the Ipswitch web site:
    http://www.ipswitch.com/support/imail/news.html

    Vulnerabilities 5 and 1 can be countered by not selecting the "ignore
    source address in security check". This was those vulnerabilities cannot
    exploited as long as the ip address of the attacker does not match with the
    ip address of the user (watch out with gateways,proxies etc).

    -- 
    Sent through GMX FreeMail - http://www.gmx.net