[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Multiple vulnerabilities in Merak Mail Server 8.0.3 with Icewarp
From: ShineShadow <ss_contacts () hotmail ! com>
Date: 2005-05-04 4:47:46
Message-ID: 20050504044746.3638.qmail () www ! securityfocus ! com
[Download RAW message or body]
ShineShadow Security Report 04052005-05
TITLE: Multiple vulnerabilities in Merak Mail Server 8.0.3 with Icewarp Web Mail \
5.4.2.
BACKGROUND
Merak Mail Server, with the revolutionary Merak Mail Server GroupWare Server, \
cutting-edge Merak Mail Server Instant Antispam and much more, is the fastest, most \
stable, secure and 100% virus free mail server on the market today. Every day \
companies choose Merak Mail Server's stability, speed, security, functionality, \
scalability and multi-tiered delegated manageability over products costing thousands \
of dollars more yet lacking the sophistication that Merak delivers. In less than 10 \
minutes you can have the same professional email server that organizations such as \
NATO, the U.S. Navy, the FBI, Toyota, the U.S. Government, and many ISP Providers and \
Developers depend on every day.
Source: www.MerakMailServer.com
VULNERABLE PRODUCT
MERAK Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 (maybe other)
DETAILS
1. Multiple cross-site scripting (XSS) vulnerabilities.
Description:
Remote user, who HAS account on Merak Mail Server, can execute cross-site scripting \
(XSS) attack.
Vulnerable scripts:
address.html
addressaction.html
settings.html
calendarsettings.html
Examples:
http://localhost:32000/mail/address.html -> Add New Address -> E-mail address = \
[xss_here] http://localhost:32000/mail/address.html -> Add New Address -> Other -> \
Note = [xss_here] http://localhost:32000/mail/address.html -> Add New Address -> \
Public Certificate (PEM Format) = [xss_here] \
http://localhost:32000/mail/settings.html -> Signature = [xss_here] \
http://localhost:32000/mail/calendarsettings.html -> Shared calendars = [xss_here]
2. Full install path disclosure.
Description:
Remote user, who HAS account on Merak Mail Server, can disclosure full install path \
of the product. It could be used during attack on an affected system.
Vulnerable scripts:
calendar_addevent.html
calendar_event.html
calendar_task.html
Examples:
http://localhost:32000/mail/calendar_addevent.html?id=[sessionid]
http://localhost:32000/mail/calendar_event.html?id=[sessionid]
http://localhost:32000/mail/calendar_task.html?id=[sessionid]
3. Moving user home directory.
Description:
Remote user, who HAS account on Merak Mail Server, can moving his home directory with \
subdirectories to his mail folder. Default home directory: [Merak Root Dir] \ Webmail \
\ Users \ [Domain] \ [User] Default user mail folder: [Merak Root Dir] \ Mail \ \
[Domain] \ [User] It could be used during attack on an affected system.
Vulnerable script:
viewaction.html
Example:
http://localhost:32000/mail/viewaction.html?id=[sessionid]&Move_x=1&folder=\
4. MERAK local file detection.
Description:
Remote user, who HAS account on Merak Mail Server, can detect arbitrary file existing \
on local file system of Merak Mail Server. It could be used during attack on an \
affected system.
Note: File mailbox.dat (in user home directory) MUST NOT EXISTS during exploiting of \
this vulnerability. Possible move this file using vulnerability #3.
Vulnerable script:
attachment.html
Example:
http://localhost:32000/mail/attachment.html?id=[sessionid]&attachmentpage_text_title=FILE \
NOT FOUND&folder=[full path to file]
5. Moving and viewing arbitrary files on remote system.
Description:
Remote user, who HAS account on Merak Mail Server, can moving arbitrary files on \
local file system of the target. The file will be moved to user home directory \
(default [Merak Root Dir]\webmail\users\[Domain]\[User]) and will be renamed to \
import.tmp. After that attacker can view this file using vulnerability #3 or import \
file to address book and view it in there. This vulnerability could be used for \
causing denial of service (DOS) conditions or access to arbitrary files on affected \
system. From files user.dat, users.dat attacker could get users and administrators \
passwords and take complete control of a Merak Mail Server. With administrator \
privileges on Merak Mail Server the attacker using [Executables] function of the \
product could execute arbitrary commands on remote system with mailserver privileges. \
If Merak Mail Server was been running under administrator account then attacker could \
take complete control of an affected system. This vulnerability also could be used \
for detection arbitrary file existing on Merak Mail Server.
Vulnerable script:
importaction.html
Example:
Moving target file to user home directory:
http://localhost:32000/importaction.html?id=[sessionid]&importfile=[arbitrary \
path]&action=upload&Import=1&importfile_size=1000000 Import target file to user \
address book: http://localhost:32000/mail/importaction.html?id=[sessionid]&action=set÷r=%3a&sel[0]=NAME1
6. Unfixed old vulnerabilities.
Description:
Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 has unfixed old vulnerabilities. \
In January I discovered some vulnerabilities in Merak Mail Server 7.6.4r with Icewarp \
Web Mail 5.3.2(http://www.securityfocus.com/archive/1/388751). The following \
vulnerabilities are NOT been fixed by vendor and exists in the Icewarp Web Mail \
5.4.2:
- Full install path disclosure
- Weakness encryption of the users passwords
EXPLOITATION
IceWarp Web Mail (control.exe service) must be running on Merak Mail Server. Account \
on Merak Mail Server is needed.
WORKAROUND
Disable Icewarp Web Mail service (Control.exe).
VENDOR STATUS
Not contacted.
SUMMARY
An attacker who successfully exploited vulnerabilities described in this report could \
take complete control of a Merak Mail Server 8.0.3 or an affected remote system. \
Merak Mail Server 8.0.3r with Icewarp Web Mail 5.4.3 also vulnerable to other \
(undescribed in this report) critical vulnerabilities. An attacker who successfully \
exploited of this undescribed vulnerabilities could take complete control of a Merak \
Mail Server or an affected remote system. I’m not advice to use this product, you \
must disable Icewarp Web Mail service.
CREDITS
ShineShadow, undependent IT security expert.
To get more information, please contact me by e-mail.
04.05.2005
ShineShadow,
ss_contacts@hotmail.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic