<<< Date Index >>>     <<< Thread Index >>>

Re: MicroWorld MailScan - Multiple Vulnerabilities within Admin-Webinterface



Please find attached the advisory regarding MicroWorld's MailScan for Mailservers.

Cheers,

Oliver
MicroWorld MailScan - Multiple Vulnerabilities within Admin-Webinterface
========================================================================


Affected Products <<


- MailScan for Mail Servers * Version: 5.6.a with espatch1
    * Win32 Platform

Other Mailscan Products, Versions, also, if available for other platforms, were not tested.


Product/Company Information <<


From MicroWorld's website: "MailScan 5.6 is the world's most advanced Real-Time AntiVirus and AntiSpam solution for Mail Servers. The software safeguards organizations against Virus, Worm, Trojan and many other malware breeds with futuristic and proactive technologies. Employing an array of intelligent filters, MailScan offers powerful protection against Spam and Phishing mails along with comprehensive Content Security."

  http://www.microworld.de
  http://www.mwti.net

Vulnerabilities <<


MailScan offers "Web Based Administration". The administration console (Server.exe) is running as an http service on tcp port 10443 with LocalSystem privileges. The communication is plain http without SSL/TLS.

The interface is vulnerable to the attacks described below. All attacks do *not* require authentication.


-- >> Directory Traversal <<

It is possible to access files on the system outside of the webroot directory with privileges of the LocalSystem account:

    echo -e "GET /../../../../boot.ini HTTP/1.0\r\n\r\n" | nc <server> <port>


-- >> Authentication bypass <<

  After a login attempt with an invalid username and password, the application
  is setting a cookie at the webclient with the following content:

       Set-Cookie: User=admin; path=/
       Set-Cookie: login=true; path=/
       Set-Cookie: IsAdmin=false; path=/
       Set-Cookie: IP=; path=/


Providing valid username and password will give a cookie with the following content:

       Set-Cookie: User=admin; path=/
       Set-Cookie: login=true; path=/
       Set-Cookie: IsAdmin=true; path=/
       Set-Cookie: IP=; path=/

  It is sufficient to set the cookie as shown above to get authenticated on the
  admin interface. The user "admin" is a default account, with a password set 
during
  installation.

*BUT* requesting a resource on the webserver *without* supplying a cookie will also grant access to the requested resource. The attacker just needs to know the path to the resource.


-- >> Cross-Site-Scripting (XSS) <<

  
http://ip:10443/<script>alert("No_Problem_its_just_an_admin_interface")</script>



-- >> Access to Logfile <<


It is possible to access the logfiles of the application because the folder "/LOG" inside the webroot ("C:\Program Files\Common Files\MicroWorld\WebServer") is not protected.... note that this does not require the directory traversal, mentioned before and thus is imho a separate vuln.
  The logfiles contain different information, like installation path, ip 
adresses,
  and error messages.

    http://ip:10443/LOG/W072808.LOG     (Format seems to be W:Month:Date:year)

     and

    http://ip:10443/LOG/Weblog.LOG

History <<

28. July 2008 - Touching base with MicroWorld's Support via Messenger
28. July 2008 - Sending High-Level description of vulns and RFP-Policy to agree
30. July 2008 - MicroWorld agreed to the policy
30. July 2008 - Detailed description and PoC-Script creating an admin user 
without
               authenticatin send to Microworld
01. Aug. 2008 - Asking Microworld if they were able to reproduce
02. Aug. 2008 - MicroWorld answered: "Not Yet"
05. Aug. 2008 - Asking Microworld if they were able to reproduce, and if yes, 
when
               a patch will be available
13. Aug. 2008 - No response from Microworld; I informed them that i will publish
               an advisory within the next days
15. Aug. 2008 - Advisory release


Credits <<

mail: Oliver-dot-karow-at-gmx-dot-de
advisory: http://www.oliverkarow.de/research/mailscan.txt
blog: 
http://oliver.greyhat.de/2008/08/15/multiple-vulnerabilities-within-mailscan-admin-interface/