what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

lansuite2003.txt

lansuite2003.txt
Posted Sep 25, 2003
Authored by Phuong Nguyen

602PRO LanSuite 2003 for Windows is vulnerable to sensitive information disclosure, logs freely being accessible to any remote attacker, the ability to read any file on the server, and directory traversal attacks.

tags | exploit, remote, info disclosure
systems | windows
SHA-256 | 9f04a1d343d4cc73ccc8d7925f80792502dfe9ae066749060a5a410c141bac4b

lansuite2003.txt

Change Mirror Download
TITLE
=====
602Pro Lansuite 2003 - Multiple Vulnerabilities

DESCRIPTION
===========
“602Pro LAN SUITE is an easy-to-install and manage
all-in-one server application. Its standards-based
SMTP/POP3 e-mail server provides effective e-mail
communication without the risk of destructive virus
infiltration and productivity robbing unsolicited
e-mail. Fax services seamlessly integrate into user
mailboxes to unify e-mail and fax message access.”

More information at http://www.software602.com

PROBLEMS
=========
Version : 602PRO LanSuite 2003, build 2003.0.3.0828
(latest build)
Tested Platform : Windows (2K/XP Pro)

Multiple vulnerabilities in the LanSuite 2003 software
(WebMail interface) which could allow attackers to
view
sensitive information about the users (Mailbox number,
Message ID, Login Time etc...) and read any file on
the server.

DETAILS
=======
[Vulnerability #1] Sensitive Files Exposure

When a user logins to LanSuite 2003 WebMail server,
m602cl3w.exe will create a temporary file and folder
holding sensitive information about the current user
and they are accessible through the LanSuite WebMail
interface http://www.victim.com/mail/. Tempdirs.lst
file holds the temporary folder name of current users.
The temporary folder contains two files named
MSGlist.mid and MSGlist.mil. Messages ID are written
to MSGlist.mid file. The username and mailbox number
are written to MSGlist.mil.

Log files are also accessible by anyone at:
http://www.victim.com/mail/S030904L.LOG (YY/MM/DD).
Attacker might gain sensitive information of username,
user's IPs, login time etc... This information could
be useful to assist in further exploit once they
obtained the file.


[Vulnerability #2] Arbitrary File Reading [required
valid user credential]

Malicious user can read any file on the server if they
have a valid LanSuite WebMail username and password.
M602cl3w.exe does check for dot-dot-slash most of the
time but not when the action "GetFile" is used. For
example, a malicious user can read the boot.ini file
by sending a request like this:

http://www.victim.com/mail/m602cl3w.exe?A=GetFile&U=7921604D7A587937986E24242C0588&DL=0&FN=../../../boot.ini
where "U" is the current user handle’s string.
Malicious users can also read other user's mails by
using the information they got from exploiting the
vulnerability #1.

For example:
http://www.victim.com/mail/m602cl3w.exe?A=GetFile&U=7921604D7A587937986E24242C0588&DL=0&FN=../../mboxes/605e5d4d/2f2284fd.dat

VENDOR STATUS
==============
You can obatain the patch to fix those vulnerabilities
above at http://download3.software602.com/ls2003.exe

Phuong Nguyen

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close