lansuite2003.txt

2003-09-25T00:00:00
ID PACKETSTORM:31701
Type packetstorm
Reporter Phuong Nguyen
Modified 2003-09-25T00:00:00

Description

                                        
                                            `TITLE  
=====  
602Pro Lansuite 2003 - Multiple Vulnerabilities  
  
DESCRIPTION  
===========  
“602Pro LAN SUITE is an easy-to-install and manage  
all-in-one server application. Its standards-based  
SMTP/POP3 e-mail server provides effective e-mail  
communication without the risk of destructive virus  
infiltration and productivity robbing unsolicited  
e-mail. Fax services seamlessly integrate into user  
mailboxes to unify e-mail and fax message access.”  
  
More information at http://www.software602.com  
  
PROBLEMS  
=========  
Version : 602PRO LanSuite 2003, build 2003.0.3.0828  
(latest build)  
Tested Platform : Windows (2K/XP Pro)  
  
Multiple vulnerabilities in the LanSuite 2003 software  
(WebMail interface) which could allow attackers to  
view  
sensitive information about the users (Mailbox number,  
Message ID, Login Time etc...) and read any file on  
the server.  
  
DETAILS  
=======  
[Vulnerability #1] Sensitive Files Exposure  
  
When a user logins to LanSuite 2003 WebMail server,  
m602cl3w.exe will create a temporary file and folder  
holding sensitive information about the current user  
and they are accessible through the LanSuite WebMail  
interface http://www.victim.com/mail/. Tempdirs.lst  
file holds the temporary folder name of current users.  
The temporary folder contains two files named  
MSGlist.mid and MSGlist.mil. Messages ID are written  
to MSGlist.mid file. The username and mailbox number  
are written to MSGlist.mil.  
  
Log files are also accessible by anyone at:  
http://www.victim.com/mail/S030904L.LOG (YY/MM/DD).  
Attacker might gain sensitive information of username,  
user's IPs, login time etc... This information could  
be useful to assist in further exploit once they  
obtained the file.  
  
  
[Vulnerability #2] Arbitrary File Reading [required  
valid user credential]  
  
Malicious user can read any file on the server if they  
have a valid LanSuite WebMail username and password.  
M602cl3w.exe does check for dot-dot-slash most of the  
time but not when the action "GetFile" is used. For  
example, a malicious user can read the boot.ini file  
by sending a request like this:  
  
http://www.victim.com/mail/m602cl3w.exe?A=GetFile&U=7921604D7A587937986E24242C0588&DL=0&FN=../../../boot.ini  
where "U" is the current user handle’s string.  
Malicious users can also read other user's mails by  
using the information they got from exploiting the  
vulnerability #1.   
  
For example:   
http://www.victim.com/mail/m602cl3w.exe?A=GetFile&U=7921604D7A587937986E24242C0588&DL=0&FN=../../mboxes/605e5d4d/2f2284fd.dat  
  
VENDOR STATUS  
==============  
You can obatain the patch to fix those vulnerabilities  
above at http://download3.software602.com/ls2003.exe  
  
Phuong Nguyen  
  
__________________________________  
Do you Yahoo!?  
Yahoo! SiteBuilder - Free, easy-to-use web site design software  
http://sitebuilder.yahoo.com  
`