Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] DeskNow Mail and Collaboration Server Directory Traversal Vulnerabi

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities
Date: 3 Feb 2005 11:27:32 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities
------------------------------------------------------------------------


SUMMARY

 <http://www.desknow.com/desknowmc/index.html> DeskNow Mail and 
Collaboration Server is "a full-featured and integrated mail and instant 
messaging server, with webmail, secure instant messaging, document 
repository, shared calendars, address books, message boards, 
web-publishing, anti-spam features, Palm and PocketPC access and much 
more".

A directory traversal vulnerability was found in DeskNow webmail file 
attachment upload feature that may be exploited to upload files to 
arbitrary locations on the server. A malicious webmail user may upload a 
JSP file to the script directory of the server, and executing it by 
requesting the URL of the upload JSP file. A second directory traversal 
vulnerability exists in the document repository file delete feature. This 
vulnerability may be exploited to delete arbitrary files on the server.

DETAILS

Vulnerable Systems:
 * DeskNow Mail and Collaboration Server version 2.5.12 and prior

Immune Systems:
 * DeskNow Mail and Collaboration Server version 2.5.14 or newer

On the Windows platform, the default installation of DeskNow Mail and 
Collaboration Server runs its webmail service using Tomcat Application 
Server with LOCAL SYSTEM privilege. This advisory documents two directory 
traversal vulnerabilities that may be exploited by a malicious webmail 
user to upload/delete files to/from arbitrary directories.

1. Insufficient input sanitization in attachment.do allows file upload to 
arbitrary directories
DeskNow's webmail allows a logon mail user to upload file attachments when 
composing an email. Lack of sanitization of the AttachmentsKey parameter 
allows the user to upload files to arbitrary location on the server.  More 
specifically, It is possible to use directory traversal characters to 
cause the uploaded file attachment to be saved outside the temporary 
directory. This may be exploited by a malicious webmail user to upload JSP 
files to the script execution directory of the server. After uploading the 
JSP file, it is possible to execute that file by directly requesting it's 
URL (i.e. http://[hostname]/desknow/jsp/test/poc.jsp). Successful 
exploitation will allow upload and execution of arbitrary JSP code with 
LOCAL SYSTEM privilege. e.g. a malicious user may upload a JSP file that 
gives him/her a reverse shell.

2. Insufficient input sanitization in file.do allows deleting of arbitrary 
files
DeskNow's document repository feature allows a user to store files on the 
server via the web interface. A user is allowed to delete his/her own 
files. When the user selects his own file to be deleted, the file name is 
sent using the select_file parameter as a POST request to file.do. It is 
possible to use directory traversal characters within this parameter to 
delete files that do not belong to the user.

Solution:
Upgrade to DeskNow Mail and Collaboration Server Version 2.5.14 or later.

Disclosure Timeline:
23 Jan 05 - Vulnerability Discovered
24 Jan 05 - Initial Vendor Notification
24 Jan 05 - Initial Vendor Reply
25 Jan 05 - Vendor Released Version 2.5.13
25 Jan 05 - Informed Vendor that Vulnerability is not Fully Fixed
27 Jan 05 - Vendor Released Fixed Version 2.5.14
02 Feb 05 - Public Release


ADDITIONAL INFORMATION

The information has been provided by  <mailto:chewkeong@security.org.sg> 
Tan Chew Keong.
The original article can be found at:  
<http://www.security.org.sg/vuln/desknow2512.html> 
http://www.security.org.sg/vuln/desknow2512.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities, SecuriTeam <=
Previous by Date:  [NT] Painkiller CD-Key Buffer Overflow, SecuriTeam
Next by Date:  [EXPL] newsfetch Buffer Overflow Exploit, SecuriTeam
Previous by Thread:  [NT] Painkiller CD-Key Buffer Overflow, SecuriTeam
Next by Thread:  [EXPL] newsfetch Buffer Overflow Exploit, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]