[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Multiple vulnerabilities in Merak Mail Server 8.0.3 with Icewarp
From:       ShineShadow <ss_contacts () hotmail ! com>
Date:       2005-05-04 4:47:46
Message-ID: 20050504044746.3638.qmail () www ! securityfocus ! com
[Download RAW message or body]



ShineShadow Security Report  04052005-05

TITLE: Multiple vulnerabilities in Merak Mail Server 8.0.3 with Icewarp Web Mail \
5.4.2.

BACKGROUND

Merak Mail Server, with the revolutionary Merak Mail Server GroupWare Server, \
cutting-edge Merak Mail Server Instant Antispam and much more, is the fastest, most \
stable, secure and 100% virus free mail server on the market today.  Every day \
companies choose Merak Mail Server's stability, speed, security, functionality, \
scalability and multi-tiered delegated manageability over products costing thousands \
of dollars more yet lacking the sophistication that Merak delivers. In less than 10 \
minutes you can have the same professional email server that organizations such as \
NATO, the U.S. Navy, the FBI, Toyota, the U.S. Government, and many ISP Providers and \
Developers depend on every day.

Source: www.MerakMailServer.com

VULNERABLE PRODUCT

MERAK Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 (maybe other)

DETAILS

1. Multiple cross-site scripting (XSS) vulnerabilities.

Description: 
Remote user, who HAS account on Merak Mail Server, can execute cross-site scripting \
(XSS) attack.

Vulnerable scripts:
address.html
addressaction.html
settings.html
calendarsettings.html

Examples:

http://localhost:32000/mail/address.html -> Add New Address -> E-mail address = \
[xss_here] http://localhost:32000/mail/address.html -> Add New Address -> Other -> \
Note = [xss_here] http://localhost:32000/mail/address.html -> Add New Address -> \
Public Certificate (PEM Format) = [xss_here] \
http://localhost:32000/mail/settings.html -> Signature = [xss_here] \
http://localhost:32000/mail/calendarsettings.html -> Shared calendars = [xss_here]


2. Full install path disclosure.

Description:	
Remote user, who HAS account on Merak Mail Server, can disclosure full install path \
of the product. It could be used during attack on an affected system.

Vulnerable scripts: 
calendar_addevent.html
calendar_event.html
calendar_task.html

Examples: 
http://localhost:32000/mail/calendar_addevent.html?id=[sessionid]
http://localhost:32000/mail/calendar_event.html?id=[sessionid]
http://localhost:32000/mail/calendar_task.html?id=[sessionid]

3. Moving user home directory.

Description:
Remote user, who HAS account on Merak Mail Server, can moving his home directory with \
subdirectories to his mail folder. Default home directory: [Merak Root Dir] \ Webmail \
\ Users \ [Domain] \ [User] Default user mail folder: [Merak Root Dir] \ Mail \ \
[Domain] \ [User] It could be used during attack on an affected system.

Vulnerable script:
viewaction.html

Example: 
http://localhost:32000/mail/viewaction.html?id=[sessionid]&Move_x=1&folder=\

4. MERAK local file detection.

Description:
Remote user, who HAS account on Merak Mail Server, can detect arbitrary file existing \
on local file system of Merak Mail Server. It could be used during attack on an \
                affected system.
Note: File mailbox.dat (in user home directory) MUST NOT EXISTS during exploiting of \
this vulnerability. Possible move this file using vulnerability #3.

Vulnerable script:
attachment.html

Example:
http://localhost:32000/mail/attachment.html?id=[sessionid]&attachmentpage_text_title=FILE \
NOT FOUND&folder=[full path to file]

5. Moving and viewing arbitrary files on remote system.

Description: 
Remote user, who HAS account on Merak Mail Server, can moving arbitrary files on \
local file system of the target. The file will be moved to user home directory \
(default [Merak Root Dir]\webmail\users\[Domain]\[User]) and will be renamed to \
import.tmp. After that attacker can view this file using vulnerability #3 or import \
file to address book and view it in there. This vulnerability could be used for \
causing denial of service (DOS) conditions or access to arbitrary files on affected \
system. From files user.dat, users.dat attacker could get users and administrators \
passwords and take complete control of a Merak Mail Server. With administrator \
privileges on Merak Mail Server the attacker using [Executables] function of the \
product could execute arbitrary commands on remote system with mailserver privileges. \
If Merak Mail Server was been running under administrator account then attacker could \
take complete control of an affected system. This vulnerability also could be used \
for   detection arbitrary file existing on Merak Mail Server.

Vulnerable script: 
importaction.html

Example:
Moving target file to user home directory:
http://localhost:32000/importaction.html?id=[sessionid]&importfile=[arbitrary \
path]&action=upload&Import=1&importfile_size=1000000 Import target file to user \
address book: http://localhost:32000/mail/importaction.html?id=[sessionid]&action=set&divider=%3a&sel[0]=NAME1


6. Unfixed old vulnerabilities.

Description:
Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 has unfixed old vulnerabilities. \
In January I discovered some vulnerabilities in Merak Mail Server 7.6.4r with Icewarp \
Web Mail 5.3.2(http://www.securityfocus.com/archive/1/388751). The following \
vulnerabilities are NOT been fixed by vendor and exists in the Icewarp Web Mail \
                5.4.2:
- Full install path disclosure
- Weakness encryption of the users passwords

EXPLOITATION

IceWarp Web Mail (control.exe service) must be running on Merak Mail Server. Account \
on Merak Mail Server is needed.

WORKAROUND

Disable Icewarp Web Mail service (Control.exe).

VENDOR STATUS

Not contacted.

SUMMARY

An attacker who successfully exploited vulnerabilities described in this report could \
take complete control of a Merak Mail Server 8.0.3 or an affected remote system. \
Merak Mail Server 8.0.3r with Icewarp Web Mail 5.4.3 also vulnerable to other \
(undescribed in this report) critical vulnerabilities. An attacker who successfully \
exploited of this undescribed vulnerabilities could take complete control of a Merak \
Mail Server or an affected remote system. I’m not advice to use this product, you \
must disable Icewarp Web Mail service.   
CREDITS

ShineShadow, undependent IT security expert. 
To get more information, please contact me by e-mail.

04.05.2005
ShineShadow,
ss_contacts@hotmail.com


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic