SECNAP Security Advisory: Invalid HTML processing in GoldMine(tm)

scheidell_at_SECNAP.NET
Date: 05/29/03

  • Next message: SPI Labs: "Internet Information Services 5.0 Denial of service"
    Date:         Wed, 28 May 2003 19:46:05 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Weakness in GoldMine(tm) Email Manager allows arbitrary code execution
    Systems: GoldMine 5.70 and 6.00 prior to version 30503
    Vulnerable: 5.70.11111,5.70.20404,6.00.21021,6.00.30203,6.00.30403
    Not Vulnerable: 5.70.30503, 6.00.30503
    Severity: Serious
    Category: Arbitrary Execution of Code of Hackers Choice
    Classification: Input Validation Error
    BugTraq-ID: TBA
    CVE-Number: CAN-2003-0241
    Remote Exploit: yes
    Local Exploit: no
    Vendor URL: www.frontrange.com
    Author: Michael S. Scheidell, SECNAP Network Security
    Scheduled Release date: May 29th, 2003
    Notifications: FrontRange(tm) notified April 27th, 2003, Fix released May 29th, 2003

    Discussion: (From FrontRange web site)
    Quickly and easily equips professionals, SOHOs (Small Offices/Home Offices), small businesses and teams with automated customer/contact management and workgroup tools.

    Problem: By sending a specially mal-crafted email to a user who opens it with the GoldMine mail agent, a hacker can run arbitrary code of the hackers choice on the users computer. This includes remote trojans, irc zombies, spyware, malware, remote key loggers, or any program a hackers wants to. This program will be running inside the corporate network, behind the firewall and access anything the infected user has access to. The GoldMine mail agent does not even run the html email in the 'security zone' as does Microsoft(tm) Outlook, but passes anything that looks like HTML to be executed unrestricted directly to the default Browser (usually IE).

    User does not even have to open the email, as the default 'preview' option will pass the first few lines of the email to IE which will trigger the exploit, in fact, just highlighting the email in order to delete it could trigger the exploit.

    The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0241 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0241> this issue. This is a candidate for inclusion in the CVE list (<http://cve.mitre.org>), which standardizes names for security problems.

    Exploit: No exploit is necessary, as there are already examples in viruses and trojans that were designed to attack Microsoft Outlook and Outlook Express.

    Microsoft fixed these by patching both readers and allowing the user to set the security zone for reading HTML email in the 'insecure' settings.

    To see an exhaustive list of what can happen when email is passed to IE, see <http://www.guninski.com/browsers.html>

    Vendor Response: FrontRange immediately verified the existence of this vulnerability, created a patch and scheduled its release as soon as QA testing was done. FrontRange is concerned about it's users security and has issued a patch on May 29th for their current 6.0 version, as well as their legacy 5.70 version.

    Solution: FrontRange advises its clients that they should upgrade to the latest version of GoldMine Business Contact Manager. Please see FrontRange support page for more information: <http://support.frontrange.com/>.

    SECNAP has tested FrontRange provided solution on 5.70.30503 and it runs HTML through IE restricted security zone now, just like outlook and outlook express. If you still fail the test, you need to check the IE restricted security zone settings.

    Workaround:
    If you cannot upgrade, then you should immediately disable IE as email viewer, in "Edit >> Preferences >> Internet >> More Options >> Advanced"

    Administrators can change user preferences from "File >> Configure >> User Settings" or via editing the users ini files and change [Internet] section EmailReadertype to 1

    [Internet]
    EmailReaderType=1

    To test to see if you are vulnerable, you can send a blank email to gmtest@secnap.net Note: this test will be discontinued after July 1st, 2003 and is only available to GoldMine email).

    Michael Scheidell, SECNAP Network Security, www.secnap.net

    Credit:
    The original problem with IIE, Microsoft Outlook and Outlook Express was found by George Grunski and involved insecure default reading of a malformed HTML Email in Outlook and OE and insecure running of HTML (see <http://www.guninski.com/browsers.html>). Also, thanks to Jeff Bell, VP Information Technology, Zino Mortgage <http://www.zinomortgage.com> and Angel Alexander Magaņa of FrontRange for their assistance in verifying the problem.

    Original copy of this report can be found here
    <http://www.secnap.net/security/gm001.html>

    Copyright:
    Above Copyright(c) 2003, SECNAP Network Security, LLC. World rights reserved.

    This security report can be copied and redistributed electronically provided it is not edited and is quoted in its entirety without written consent of SECNAP Network Security, LLC. Additional information or
    permission may be obtained by contacting SECNAP Network Security at 561-368-9561

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    FREE 14-DAY TRIAL of New Threat & Vulnerability Notification Service

    TruSecure's new IntelliShield(tm) web-based threat and vulnerability
    service isn't your typical alert service. Supported by TruSecure's vast
    intelligence resources - including the ICSA Labs - IntelliShield's early
    warning, analysis, decision support, and threat management tools provide
    organizations with unmatched intelligence to better protect critical
    information assets. Experience it for yourself - just click below to begin
    your FREE, NO OBLIGATION 14-day trial today!

    http://www.trusecure.com/offer/s0074/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: SPI Labs: "Internet Information Services 5.0 Denial of service"

    Relevant Pages

    • [VulnWatch] SECNAP Security Advisory: Invalid HTML processing in GoldMine(tm)
      ... Weakness in GoldMineEmail Manager allows arbitrary code execution ... as there are already examples in viruses and trojans that were designed to attack Microsoft Outlook and Outlook Express. ... To test to see if you are vulnerable, you can send a blank email to gmtest@secnap.net Note: this test will be discontinued after July 1st, 2003 and is only available to GoldMine email). ... Above Copyright2003, SECNAP Network Security, LLC. ...
      (VulnWatch)
    • [VulnWatch] SECNAP Security Advisory: Invalid HTML processing in GoldMine(tm)
      ... Weakness in GoldMineEmail Manager allows arbitrary code execution ... as there are already examples in viruses and trojans that were designed to attack Microsoft Outlook and Outlook Express. ... To test to see if you are vulnerable, you can send a blank email to gmtest@secnap.net Note: this test will be discontinued after July 1st, 2003 and is only available to GoldMine email). ... Above Copyright2003, SECNAP Network Security, LLC. ...
      (Full-Disclosure)
    • [Full-Disclosure] SECNAP Security Advisory: Invalid HTML processing in GoldMine(tm)
      ... Weakness in GoldMineEmail Manager allows arbitrary code execution ... as there are already examples in viruses and trojans that were designed to attack Microsoft Outlook and Outlook Express. ... To test to see if you are vulnerable, you can send a blank email to gmtest@secnap.net Note: this test will be discontinued after July 1st, 2003 and is only available to GoldMine email). ... Above Copyright2003, SECNAP Network Security, LLC. ...
      (Full-Disclosure)