[SIG^2 G-TEC] ArGoSoft Mail Server Webmail Multiple Directory Traversal Vulnerabilities
SIG^2 Vulnerability Research Advisory
ArGoSoft Mail Server Webmail Multiple Directory Traversal Vulnerabilities
by Tan Chew Keong
Release Date: 09 Feb 2005
ADVISORY URL
http://www.security.org.sg/vuln/argosoftmail1873.html
SUMMARY
ArGoSoft Mail Server (http://www.argosoft.com/mailserver/) is a fully
functional SMTP/POP3/Finger (Pro version also has IMAP module) server for
Windows 95/98/NT/2000, which will let you turn your computer into the email
system. It's very compact, takes about 1-5 Mb of disk space (depending on the
version), does not have any specific memory requirements, and what is the most
important - it's very easy to use.
Multiple directory traversal vulnerabilities were found in ArGoSoft Mail
Server's Webmail that may be exploited by a logon mail user to upload files to
arbitrary directories on the server, retrieve arbitrary files from the server,
access other users' emails, and create/delete arbitrary directories on the
server.
TESTED SYSTEM
ArGoSoft Mail Server Version 1.8.7.3 on English WinXP SP2, Win2K SP4.
DETAILS
This advisory documents 4 directory traversal vulnerabilities in ArGoSoft Mail
Server's Webmail. Exploitation of these vulnerabilites requires a valid logon
account on the Webmail.
a. Directory traversal in email attachment filename allows file upload to
arbitrary directories
ArGoSoft Mail Server's Webmail allows a logon mail user to upload file
attachments when composing an email. Lack of input sanitization of the supplied
filename allows the user to upload files to arbitrary locations on the server.
This may be exploited by a malicious mail user to upload and replace other
users' password file (userdata.rec) with a copy that has known password, thus
allowing him/her to logon as other users.
b. Directory traversal in _msgatt.rec allows any arbitrary files on the server
to be sent as attachment
By uploading a specially crafted _msgatt.rec file containing directory
traversal characters, it is possible to cause the server to send any arbitrary
files on the server as attachment to the user. A malicious user may exploit
this vulnerability to email other user's password file (userdata.rec) to
himself.
c. Directory traversal in /msg and /delete "Folder" parameter allows
reading/deleting of other user's emails
The /msg and /delete link allows the Webmail user to view/delete his/her
emails. It is possible to view/delete other user's email by using directory
traversal characters in the "Folder" parameter and specifying a correct UIDL.
d. Directory traversal in /folderadd and /folderdelete "Folder" parameter
allows creating/deleting arbitrary directories on the server
The /folderadd and /folderdelete links allows the Webmail user to create/delete
mail folders. It is possible to use directory traversal characters in the
Folder parameter to create/delete directories in arbitrary locations on the
server. A malicious user may exploit this vulnerability to delete other users'
entire mail directories, which is effectively the same as removing the users
from the system.
PATCH
Upgrade to version v1.8.7.4.
DISCLOSURE TIMELINE
06 Feb 05 - Vulnerability Discovered.
08 Feb 05 - Initial Vendor Notification.
08 Feb 05 - Received Notification from Vendor that Fixed Version was Released.
09 Feb 05 - Public Release.
GREETINGS
All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html
"IT Security...the Gathering. By enthusiasts for enthusiasts."