[NT] Ipswitch IMail Multiple Security Vulnerabilities

From: support@securiteam.com
Date: 10/15/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Ipswitch IMail Multiple Security Vulnerabilities
Message-Id: <20011015212218.9E90E138C1@mail.der-keiler.de>
Date: Mon, 15 Oct 2001 23:22:18 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Ipswitch IMail Multiple Security Vulnerabilities
------------------------------------------------------------------------

SUMMARY

 <http://www.ipswitch.com/products/IMail_Server/index.html> IMail Server
is an easy-to-use, web-enabled, secure and spam-resistant mail server for
Windows NT/2000. Multiple security vulnerabilities have been found in the
product, these vulnerabilities range from email hijacking to a denial of
service against the machine.

DETAILS

Vulnerable systems:
Ipswitch IMail Server version 7.04 and prior

Immune systems:
Ipswitch IMail Server version 7.04 Hotfix

Email sessions hijacking: (1)
Mail sessions can be hijacked by using the session ID given to a user
after authentication. This key can be obtained in several ways:

 - By ending HTML with embedded JavaScript
 - By sending HTML mail with embedded picture (referrer field)
 - By editing the web interface log file

As long as the user is still logged in and the session has not expired, it
is possible for attackers to take over his account. Exploitation of this
vulnerability allows attackers to perform all tasks the owner of the
hijacked account could perform such as deleting, sending, and modifying
emails. If the IMail account has administrative privileges the possibility
exists that the attacker can add and remove email addresses and domains.
This could lead to data loss or abuse of the mail server in question.

Mailbox disclosure: (2)
It is possible for normal users to gain access to mailboxes from other
users. They can do this by abusing a directory traversal vulnerability in
the mailbox variable send to the server:

http://xx.xx.xx.xx:8383/
sessionid>/readmail.cgi?uid=user1&mbx=../user2/Main

In the above example, 'user1' is viewing the content of the 'Main' mailbox
of user2. It is also possible to read the mails that are stored in this
mailbox simply by clicking on them.

Attachment information leak: (3)
Email attachments expose the entire directory structure of where IMail and
the spool directory are located. This information leak can be very useful
for attackers who are foot printing the server in question.

Example email header:
 From: "XXXXXXXXXXXXXXXX" <XXXXXXXX@XXXXXXXXX>
 Reply-To: <XXXXXXXX@XXXXXXXX>
 X-Sender: <XXXXXX@XXXXXXXXX>
 To: <XXXXXX@XXXXXXXXX>
 Subject: Slides
 X-Mailer: <IMail v7.04>
 X-Attachments: f:\Imail\spool\web\file.zip;
 X-Sanitizer: In
 MIME-Version: 1.0
 Content-Type: multipart/mixed; charset="iso-8859-1"
 Content-Transfer-Encoding: 8bit

Denial of service attack: (4)
When trying to open a mailbox which exists out of 248 dots (other
character might work as well) the web interface crashes without any error
message, CPU hogging or any visual alert. Even on the administrator
application, the server will still be marked as running. The process still
keeps running but it will no longer listen to the predefined port (8383).

This vulnerability can be exploited trough any CGI script used by the web
interface that invokes a user mailbox (readmail.cgi , printmail.cgi etc).

Weak session ID: (5)
Session ID's generated for authentication can be predicted by analyzing
them:

45: Sesion ID: /Xa20acc929dcecfce93a0afa688
46: Sesion ID: /Xa20bcc929dcecccb9ba0afa688
47: Sesion ID: /Xa208cc929dcf9a9c93a0afa688
48: Sesion ID: /Xa209cc929dcf9b9998a0afa688
49: Sesion ID: /Xa20ecc929dcf9bcccba0afa688
50: Sesion ID: /Xa20fcc929dcf98c998a0afa688
51: Sesion ID: /Xa20ccc929dcf9992c8a0afa688
52: Sesion ID: /Xa20dcc929dcf9ecbcea0afa688
53: Sesion ID: /Xa202cc929dcf9f9dcca0afa688
54: Sesion ID: /Xa203cc929dcf9c9e92a0afa688
55: Sesion ID: /Xa200cc929dcf9d9b9aa0afa688
56: Sesion ID: /Xa201cc929dcf9dce92a0afa688
57: Sesion ID: /Xa206cc929dcf92cb9aa0afa688
58: Sesion ID: /Xa207cc929dcf939c93a0afa688
59: Sesion ID: /Xa204cc929dcfcb999ba0afa688
60: Sesion ID: /Xa205cc929dcfcbcc93a0afa688

By using calculated session keys for authentication, it is possible for
attackers to gain access to accounts without knowing usernames or
password.

Solution:
Vulnerability 2 and 4 can be countered by using the Hotfix released by
Ipswitch:
 <ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe>
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe

More information about this update can be found on the Ipswitch web site:
<http://www.ipswitch.com/support/imail/news.html>
http://www.ipswitch.com/support/imail/news.html

Vulnerabilities 5 and 1 can be countered by not selecting the "ignore
source address in security check". This was those vulnerabilities cannot
exploited as long as the IP address of the attacker does not match with
the IP address of the user (watch out with gateways, proxies etc).

ADDITIONAL INFORMATION

The information has been provided by <mailto:zilli0n@gmx.net> Niels
Heinen.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages