[NT] Privilege Escalation in Mailtraq

From: SecuriTeam (support_at_securiteam.com)
Date: 11/22/04

  • Next message: SecuriTeam: "[NT] DMS POP3 Server USER Buffer Overflow (Exploit)" 
    To: list@securiteam.com
Date: 22 Nov 2004 11:43:56 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Privilege Escalation in Mailtraq
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.mailtraq.com/> Mailtraq is a "comprehensive e-mail SMTP/POP3
    and proxy server, with a powerful mailing list server". A privilege
    escalation flaw exists in Mailtraq that allows local attackers to use the
    program's systray icon to gain elevated privileges.

    DETAILS

    Vulnerable Systems:
     * Mailtraq version 2.6.1.1677 and prior

    Vendor response:
    This does not appear to be a security hole as the Mailtraq Console is
    intended to be operated only by authorized administrators. The console
    provides direct access to user data and the ability to manipulate e-mail
    and other sensitive data for all users. For this reason, in environments
    where non-administrators may be granted physical access to the desktop we
    expect administrators to secure the console by password protection. (This
    feature is enabled in the Server Properties.) If the console is secured
    in this manner, standard dialog functions such as that you described are
    only available to administrators.

    Exploit:
    1. Double click on the Mailtraq icon in the Taskbar
    2. Right click in the right text pane and choose View Source
    3. Notepad should open. Click File, click Open
    4. In the Files of type: field choose All Files
    5. Navigate to %WINDIR%\System32\
    6. Right click on cmd.exe and choose Open
    7. A command prompt will launch with SYSTEM privileges

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:reedarvin@gmail.com> Reed
    Arvin.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] DMS POP3 Server USER Buffer Overflow (Exploit)"

    Relevant Pages