assp.txt

`Anti-Spam SMTP Proxy (ASSP) "get?file" Traversal Vulnerability  
  
Release Date:  
August 15, 2006  
  
Notice:  
This is a known flaw, and has been since the implementation of an  
enhanced web interface for ASSP, since at least 2003. I do not  
normally test for security vulnerabilities or address them directly,  
but my recently acquired Perl experience prompted me to address this  
specific issue.  
  
Severity:  
Medium (authenticated user)  
  
Vendor:  
Open Source (assp.sourceforge.net)  
  
Systems Affected:  
Since at least 2003, all versions of ASSP on any platform running Perl.  
  
Background:  
The ASSP server project is an Open Source platform-independent SMTP  
proxy server that leverages numerous methodologies and technologies to  
both rigidly and adaptively identify spam. ASSP runs as a Perl  
application.  
  
Overview:  
ASSP uses an URL manipulation to retrieve files it needs for its web  
interface. ASSP does not operate as a true web server. ASSP retrieves  
its files with the same permissions of the user or the server/daemon  
running the Perl application script.  
  
Problem:  
Authenticated users, of which there is only one administrative  
password configurable for, can manipulate the ASSP address URL in  
order to retrieve alternative files locally and across the LAN. While  
there is a relative-directory traversal check, there are no other  
checks performed. Thus, a malicious user could manipulate the URL to  
retrieve a known resource with a local or network UNC path.  
  
This is a particularly troubling security issue when considering  
security conscious-less administrators that set the privileges of such  
daemons and services (especially Win32) at administrator levels.  
  
Two identical lines in the Perl code provide checks against this  
"get?file" functionality. One line is used for the web site interface  
itself (for loading images and CSS); the other is for administratively  
opening text files for remote-editing purposes. The line of code in  
question is:  
  
if ($fil=~/\.\./) {  
  
As you can see, the only check performed here is if the file path  
requested contains ".." .  
  
Exploitable examples:  
http://server.domain.tld:55555/get?file=c:\dir\subdir\file.ext  
http://server.domain.tld:55555/get?file=\\server\share\dir\file.ext  
  
Protection:  
I have come up with a simple replacement for the original line of code  
for protection against this vulnerability:  
  
if ($fil!~/$base\/.*\.(css|gif|jpg|png|txt)$/i) {  
  
This will lock the traversal vulnerability to ASSP's base directory  
structure, and will only allow the retrieval of (5) files-types.  
  
Caveat:  
I am told that FreeBSD's port of ASSP uses "." as the specified  
directory base (reflected in the application as the variable $base),  
per the command-line that is used to start ASSP. The base directory is  
intended to reflect the actually location of ASSP, and this is an  
inappropriate use of the base directory specification. This misuse may  
extend to other "ports" of ASSP as well.  
  
If you are using such a port, I recommend the following line of code instead:  
  
if ($fil!~/.*\.(css|gif|jpg|png|txt)$/i) {  
  
This will not lock the traversal vulnerability to the ASSP directory  
structure, but it will at least provide a level of protection for  
numerous types of files until a more suitable solution is developed.  
  
Vendor Status:  
John Hanna, the creator of ASSP, no longer maintains the code. Other  
developers contribute new code and fix bugs "unofficially" off-site.  
  
Fritz Borgstedt, the current principle developer, hosts newly revised  
beta code at his website, while the SourceForge web site has stable  
code posted to it on occasion.  
  
Related Links:  
http://assp.sourceforge.net (SourceForge home)  
http://www.iworld.de/homes/fb/ASSP/ (Fritz's beta development site)  
http://www.asspsmtp.org/wiki (Documentation Wiki)  
  
Copyright (c) 2006 Micheal Espinola Jr:  
Permission is hereby granted for the redistribution of this alert  
electronically. It is not to be edited in any way without express  
consent of Micheal Espinola Jr. If you wish to reprint the whole or  
any part of this alert in any other medium excluding electronic  
medium, please email [email protected] for permission.  
  
Disclaimer:  
The information within this paper may change without notice. Use of  
this information constitutes acceptance for use in an AS IS condition.  
There are no warranties, implied or express, with regard to this  
information. In no event shall the author be liable for any direct or  
indirect damages whatsoever arising out of or in connection with the  
use or spread of this information. Any use of this information is at  
the user's own risk.  
  
I hope this is of usefulness to someone – preferably someone that can  
address the problem better than I can.  
  
--   
ME2  
  
`