Buffer0verflow Security Advisory #1 - Mailtraq remote file retriving. The Mailtraq message server for Windows NT, 95, and 98 allows any file on the system to be read via a /../../ bug. All versions prior to 1.1.4 are affected.
811946ab0ebf72ba32eae273bd408419d58277b2cc6bec4feb1dad2886c8fc0e
_____________________________________________________________________
b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 1
Advisory Name: Mailtraq remote file retriving
Date: 3/22/00
Application: Mailtraq 1.1.4 for Win 95/98
Vendor: Fastraq Limited
WWW: www.mailtraq.com
Severity: Any user can browse and even download
files from the remote computer
Author: slash (tcsh@b0f.i-p.com)
Homepage: b0f.morphed.net
* Overview
Mailtraq is a message server aimed at individuals, small and medium sized
companies and home offices (SOHOS). Mailtraq’s primary goal is to provide online
services to local users by storing incoming and outgoing news and mail messages
offline, then connecting to the Internet at controlled intervals to deliver
outgoing messages and collect and store incoming messages. Mailtraq provides fully
featured Mail, News and Intranet services, full disk logging of all activity,
comprehensive firewall facilities plus many other services such as a Finger client,
Mail-to-News and News-To-Mail gateways, Web Administration, etc. Mailtraq requires
either the Windows NT (Server or Workstation), Windows 95 or Windows 98 operating
systems to be running on the machine on which it is loaded.
* The Problem
By default Mailtraq installs it's Webmail Administration menu which is
accessible via http://some.domain.com/$/admin . The problem accoured when We tried
to retrive http://some.domain.com/ We configured Mailtraq's WWW server root directory
to be C:\Program Files\Mailtraq\websys\webmail Since that \websys\webmail directory
doesn't contain index.html the server returned the complete file listing of the
directory C:\Program Files\Mailtraq\websys\webmail. So we tried to exploit this a
little bit, and discovered that anyone can browse and download files on the remote
computer running Mailtraq Mail Server. Here is how to exploit it:
http://127.0.0.1/./../../../
And You should get the complete listing of of files in c:\Program Files\ . When We
tried to exploit this, we could only browse files from c:\Program Files\ . When we
would add some more /../../../ to the exsisting URL we would get a "404 Page not
found". We played around with this a little bit and found a way to exploit this too.
To get to windows we should add some more /../../../ but a correct directory name
was required. So we did it this way:
http://127.0.0.1/../../../../../../../../../../././../../././..././.../.../windows/
Here it is!!! The complete listing of C:\windows . Now this is as far as we go.
On Windows NT machines running Mailtraq You could just get sam._ , run l0phtcrack
against it and compromise the machine.
There is also a bug that allows the remote attacker to find out in what directory
is Mailtraq installed in. By inputing a large string after http://some.domain.com/
the server will return the path to Mailtraq's installation directory. Exsample:
http://127.0.0.1/../aaaaaaaaa[a lot of a's]aaaaaaa
The output You should get will look like this:
File "C:\Program Files\Mailtraq\websys\webmail\aaaaaa[a lot of a's]aaaaaa" could
not be found
* Vulnerable Versions
We tested version 1.1.4. on Windows 98. All versions prior to 1.1.4 are
vulnerable. We aren't sure if the Windows NT version is affected.
* Fix
At this time we aren't familiar with any fix for this bug.
copyright © 1999-2000
slash, buffer0verfl0w security
www.b0f.com
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed