[NT] Multiple Vulnerabilities in 602Pro LAN SUITE 2003 (Incorrect File Permissions, File Reading)
From: SecuriTeam (support_at_securiteam.com)
Date: 09/29/03
- Previous message: SecuriTeam: "[UNIX] Mpg123 Remote Client-Side Heap Corruption (Exploit, readstring())"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 29 Sep 2003 11:04:37 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in 602Pro LAN SUITE 2003 (Incorrect File
Permissions, File Reading)
------------------------------------------------------------------------
SUMMARY
<http://www.software602.com/products/ls/> 602Pro LAN SUITE is "an
easy-to-install and manage all-in-one server application. Its
standards-based SMTP/POP3 e-mail server provides effective e-mail
communication without the risk of destructive virus infiltration and
productivity robbing unsolicited e-mail. Fax services seamlessly integrate
into user mailboxes to unify e-mail and fax message access".
Multiple vulnerabilities have been discovered in the product allowing
remote attackers to view sensitive log files, and read any arbitrary
files.
DETAILS
Vulnerable systems:
* 602PRO LAN SUITE 2003, build 2003.0.3.0828
Multiple vulnerabilities in the LAN SUITE 2003 software (WebMail
interface) which allow attackers to view sensitive information about users
(Mailbox number, Message ID, Login Time etc...) and read any file on the
server.
Sensitive Files Exposure
When a user logins to LAN SUITE 2003 WebMail server, m602cl3w.exe will
create a temporary file and folder holding sensitive information about the
current user and they are accessible through the LAN SUITE WebMail
interface http://www.victim.com/mail/. Tempdirs.lst file holds the
temporary folder name of current users. The temporary folder contains two
files named MSGlist.mid and MSGlist.mil. Messages ID are written to
MSGlist.mid file. The username and mailbox number are written to
MSGlist.mil.
Log files are also accessible by anyone at:
http://www.victim.com/mail/S030904L.LOG (YY/MM/DD). Attacker might gain
sensitive information of username, user's IPs, login time etc... This
information could be useful to assist in further exploit once they
obtained the file.
Arbitrary File Reading
Malicious user can read any file on the server if they have a valid LAN
SUITE WebMail username and password. M602cl3w.exe does check for
dot-dot-slash most of the time but not when the action "GetFile" is used.
For example, a malicious user can read the boot.ini file by sending a
request like this:
Where "U" is the current user handle's string. Malicious users can also
read other user's mails by using the information they got from exploiting
the first vulnerability.
Vendor status:
You can obtain a patch for the above vulnerabilities at
<http://download3.software602.com/ls2003.exe>
http://download3.software602.com/ls2003.exe.
ADDITIONAL INFORMATION
The information has been provided by <mailto:dphuong@yahoo.com> Phuong
Nguyen.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Mpg123 Remote Client-Side Heap Corruption (Exploit, readstring())"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] Georgia SoftWorks SSH2 Server Multiple Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Georgia SoftWorks SSH2 Server
Multiple Vulnerabilities ... void bigstr(u8 *dst, int chr, int len); ... (Securiteam) - LanSuite 2003 - Multiple Vulnerabilities
... 602Pro Lansuite 2003 - Multiple Vulnerabilities ... SMTP/POP3 e-mail
server provides effective e-mail ... sensitive information about the users (Mailbox
number, ... (Bugtraq) - [NT] Ipswitch IMail Server 2006 Multiple IMAP Buffer Overflow Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Ipswitch IMail Server 2006
Multiple IMAP Buffer Overflow Vulnerabilities ... (Securiteam) - [NEWS] httprint DoS and Arbitrary Script Injection Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... httprint DoS and Arbitrary
Script Injection Vulnerabilities ... It relies on web server characteristics to accurately
... (Securiteam) - [NT] Foxmail Mail Server Multiple Vulnerabilities (USER Command)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerabilities in Foxmail
server, can be exploited by a remote attacker ... Heap overflow: Sending a long username
will cause a heap overflow. ... (Securiteam)
