what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

spj-004-000.txt

spj-004-000.txt
Posted Jun 13, 2000
Authored by s0ftpj, FuSyS | Site s0ftpj.org

S0ftpj Security Advisory SPJ-004-000 - Multiple remote CGI vulnerabilities in MailStudio2000. Users can view any file on the system, as well as execute commands remotely as root. Major search engines can be used to locate vulnerable hosts. Exploit descriptions included.

tags | exploit, remote, cgi, root, vulnerability
SHA-256 | 6550727efc6ec1b93efcd6c291fe46eb0b814d183be7bc7774db23d9d629e939

spj-004-000.txt

Change Mirror Download
SPJ-004-000:

.::::::::+[ s0ftpr0ject 2K ]+::::::::.
::::+[ Digital Security for Y2K ]+::::
:::'"""`"'"""`"'"""`"'"""`"'"`"'""`:::
::'.g#S$"$S#n. .g#S$"$S#n. S#n.`::
:: $$$$$ $$$$$ $$$$$ $$$$$ $$$$ ::
:: $$$$$ $$$$$ $$$$$ $$$$ ::
:: `$$$$$$$$$n $$$$$ $$$$$ $$$$ ::
:: $$$$$ $$$$$s$$$$' $$$$ ::
:: $$$$$ $$$$$ $$$$$ $$$$$ $$$$ ::
:: `$$$$s$$$S' `$$$$ `$$$$s$$S' ::
:::...........:.....:::::..........:::
:::+[ Security Advisory, 004-000 ]+:::
`::::::::+[ Jun 09, 2000 ]+:::::::::'


Multiple Remote CGI Vulnerabilities in MailStudio2000

by FuSyS <fusys@s0ftpj.org>,
Naif <naif@itapac.net> and vecna <vecna@s0ftpj.org>


---[ Systems affected ]-------------------------------------------------------

Possibly all systems running MailStudio2000 2.0 and lower versions.

---[ Condition of discovery ]-------------------------------------------------

Credit for discovering the initial 'file viewing' vulnerability in one cgi,
mailview, goes to Naif; subsequent probes by vecna and FuSyS. Credit for
userreg 'command execution' goes to FuSyS.

The test on MailStudio2000 began as a simple question on the mailing lists
accessible at https://www.sikurezza.org/

---[ Impact ]-----------------------------------------------------------------

There are at least two distinct bugs we'll mention.

Any user who can remotely login to MailStudio2000, can view any file on the
system. This implies other users' e-mail is nomore private, nor is the login
and password dbase, nor the configuration files of the running system.

This has a medium level impact on the security of the system, as the CGI
programs run with root permissions and privileges, permitting the attacker to
look at the passwd/shadow files, home directories, log files ...

Not least important, all other users' e-mail is readable by the attacker.
Consider this as important, as MailStudio is being sold to lots of web sites
and it is also possible to use search engines such as AltaVista to search
for compromisable hosts, which run these CGIs.

The worst problem however is a poor input validation in a specific CGI which
accesses the shell to execute a command. Injecting a single non filtered
char, we can make the remote host execute any command we wish.


---[ Detailed description ]---------------------------------------------------

(1) Read, and knowledge will be thine ...

MailStudio2000 is a web based e-mail server solution from 3RSoft.com .
It's included in the retail version of RedHat Linux 6.1 and has been reviewd
by LinuxJournal and Dave's Central. From 3RSoft website:

"Over 10 millions mailboxes worldwide"

It's functionality rotates around a group of CGI applications contained in
the cgi-auth directory of the binary distribution.

While on the homepage the seller clearly states that the confidentiality of
users' e-mail will be preventatively protected, the developers missed one
of the most common problems:

check of user input in jailed environements, to protect the bypass of the root
directory and the examination of other, sensitive or not, files.

This is exactly what we found here. Seems that every CGI application in
cgi-auth directory contains the same problem. The server can look through
authorized users, so we must first login with a valid user and password.
The problem is, this software is mostly used for FREE web-mail services; so
just register and get going.

After the logon we can easily call one of the CGI, mailview.cgi as:


mailview.cgi?cmd=view&fldrname=inbox&select=1&html=../../../../../../etc/passwd


it's interesting to note that simply using /etc/passwd as value for the html
parameter will not work, as the environement has changed the root directory.
the number of '..' you are going to use changes accordingly to the CWD of the
MailStudio2000 software. In this case simply '/home/sysop/mailstudio2k/'.

Just to show that every CGI seems affected, here is an example [word-wrapped]:


maillist.cgi?cmd=list&fldrname=inbox&fldnum=1&order=2&searchkey=&search_fldnum=0
&page=99999&html=../../../../../../etc/passwd


Why is this important ? MailStudio2000 runs as root, by default. This means
/etc/shadow is readable as well.

Every users' mail, via /var/spool/mail/ or ~/userdb/login_name/inbox can be
snooped.

/etc/mailstudio.conf will merrily give away the administration port and the
license key, if you didn't have a commercial one.

Once we know the administration password, grabbed from the passwd or shadow
file, we can have access to the sysop menu and even disable other people's
accounts.

These problems and attack options pose a great risk to users' privacy and
heavily affect the security of the product.


(2) Act, and thou shalt be free ...

This is obviously the worst problem which is readily evident in this server.
The CGI application userreg.cgi is used to register new users before they
can login to the server. The problem is, anyone can execute it.

This CGI simply executes a useradd -s /bin/noshell -p password %s
The login name string, %s, is filtered out of capital characters, blank spaces
and special characters, so just inserting ';' or '&' will reach nowhere.

While trying to escape via other chars by using every single parameter, we
noted that the simple \x0a char is accepted, as long as there are NO spaces
in the string. And obviously, in the error logs we saw instances of the shell
complaining for not having found our %s2 [ as in %s1\x0a%s2 ].

So we can just execute every application we can. This is a really powerful
option, especially when combined with the previous read-all possibility.

The hard point is, we don't seem able to get a workable blank space to
execute more complex command lines. So, while leaving to your fantasy and
personal delight, the right to explore, command and conquer, we'll just
make sure everybody understands this is a trivial joke, if elegance is not
on your agenda:

- simply email yourself, a normal registered web mail user, a mail,
containing in the headers, or in the body a single line like this,

spj::0:0:S0ftPj2k:/root:/bin/bash

and then

- simply use the faulty CGI to execute something like this,

cat < /var/spool/mail/your_login >> /etc/passwd

to simply put the previous line in the password file. Now you can
choose to login with a normal account, as youi can steal the password and
shadow files, this ought not be a problem, and then su - to spj.
[Obviously you can add more nifty lines via this e-mail trick ...]
Or change this way /etc/shadow and /etc/securetty ... but we are sure
you can easily find ways of executing a nice xterm back to your X
server ;)

Oh sure, here is the faulty CGI [word-wrapped]:

userreg.cgi?cmd=insert&lang=eng&tnum=3&fld1=test999%0acat
</var/spool/mail/login>>/etc/passwd


There are many other occurences of Internal Server Errors that can
be traced to small problems of input validation which could result in more
serious bugs, and could make the problem worse, regarding server security.


---[Vendor Status ]-----------------------------------------------------------

3RSoft, developer and seller of MailStudio2000 has been contacted and informed.
A copy of this advisory has been sent some days ago, as we wanted to wait at
least for a working week. Sadly, we received no response. We'd like to stress
out that between fifteen and twenty days ago, 3RSoft was notified about the
first 'file viewing' vulnerability on one of their cgi apps on the hompage
web-mail test. They patched that 'single' cgi, but never replied.

So we decided to go on and advise the community, as we've been knowing this
for quite a time, now. No information has been provided by us on this issue
on 'underground' channels or unreleased repositories.


---[ URLs and references ]----------------------------------------------------

MailStudio2000 HomePage URL : https://www.3rsoft.com/


---[ Contact informations ]---------------------------------------------------

s0ftpr0ject 2k - Digital security for Y2K (s0ftpj)
no-profit security research

Internet site: https://www.s0ftpj.org
E-mail : staff@s0ftpj.org

All advisories and security documents are available via http at:

https://www.s0ftpj.org (195.32.69.44) courtesy of Metro Olografix
https://www.olografix.org (195.32.69.44)

This document has no copyright, feel free to distribute it without any
limitation. Original copy of this document can be found at our Internet site
for free.

---[ s0ftpr0ject staff Public PGP Key ]---------------------------------------

Type Bits/KeyID Date User ID
pub 2600/15A01BB9 1999/07/22 S0ftPj Staff <staff@s0ftpj.org>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQFSAzeXNL8AAAEKKNzvok6FkB24mQUEx5Q4SZ97dQlmx3yNeEvG7aJ/0TDKWWUv
f6a+t1jF8V7JMhV1JxU/z38MgTYRGt6dspWlTLKb543GxBRqOdMohigBu8rUmDEb
UlD9gAav5M+OSY6oNh5a7e/YrPLhOiqxNxBIXQCDgKtIUv9NF8KbcbS96EAmNsuH
UA/hJ2Arlx2wSkmJZgvcpiM6O/1g1OYgg7Gur39SqsNZn0RUKxi463qASGfJT4sa
rpH6clBsVpNei5bf/4Bke5/8dnJL5DzM0twxTUmvdq1Pt1+6sRCd70IsqXPvjZu2
Drx4rzlLItD84xmE9w/vGdLMtPSTPwX7ak2TvhWqBOkqzWJNiRjzi+T6HiNfuqUr
sr90FndiRNJcWCbmPs2TJISLePsi9AVGL5KFfmimdSJPagzWG1FVQhyo2HS4nRWg
G7kABRG0H1MwZnRQaiBTdGFmZiA8c3RhZmZAczBmdHBqLm9yZz6JAVoDBRA3lzS/
2HS4nRWgG7kBAaYiCiQPM05Pr5FkSgjHkVUbgyxwuWkp9MDOxhvFAgcsHJUX2h6V
F02vzDMR2BOvaRhkm43IwXxK490Tp86pbbhC28SiF3TEyHjmu8tMrXo/cX69fcqy
IbvVgHKEIUYR8Sik7mLX9HqUh9qh7e6o4cH5TsCCJxIoqf2Qt4t5HA4m77H1niNP
EqY2HGzvQUPfvTf+KffdLGoAa/NSKJyB8stlWIJ4SAe7EkGscSjcDFvrm25pDT33
JHyBHBdmUY0Kr+gzmg9CuUZUhVtdun0mwZJLicOSUFQeYuPsid+ayggdgfGR7spM
NymPkS2MF8jGOKCa9EqWbn5gBP0uZm5aMrg6+O+s+xNonK0BcFH7iIUAsL9qUHLD
4edFudwxa6XW7LuJoqDVlUzhqA3Ru5Yd8eTD7vbcjR3fRngDpLDu8UhC0MFQSoDW
IWKJ
=i4i0
-----END PGP PUBLIC KEY BLOCK-----

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close