SIG^2 G-TEC - SurgeMail Webmail Attachment Upload and XSS Vulnerabilities

Summary

SurgeMail is a next generation Mail Server - Combining features, performance and ease of use into a single integrated product. Ideal on Windows NT/2K, or UNIX (Linux, Solaris etc) and supports all the standard protocols IMAP, POP3, SMTP, SSL, ESMTP.

A vulnerability was found in SurgeMail's Webmail file attachment upload feature. This vulnerability may be exploited by a malicious Webmail user to upload files to certain locations on the server, obtain file listings of certain directories, and/or send certain files on the server to him/herself. Two XSS vulnerabilities were also found.

Details

This advisory document two Webmail vulnerabilities found in SurgeMail server. The first is a file attachment upload vulnerability. This vulnerability may be exploited by a malicious Webmail user to upload files to certain locations on the server, obtain file listings of certain directories, and/or send certain files on the server to him/herself. The second is a Cross-Site Scripting (XSS) vulnerability.

SurgeMail allows a logon user to attach files when composing a new email via the Webmail interface. Uploaded file attachments are temporarily stored in the c:\surgemail\web_work\u_xx\xxxx@hostname@127_0_0_1\attach\SomeRandomNumber\ directory. When the user clicks on the Attach button in the Webmail, the selected file is sent a as a multipart/form-data POST request to the server.

In particular, the value of SomeRandomNumber is part of this POST request (attach_id parameter) and is under the attacker's control. The server will create the directory "SomeRandomNumber" if it does not exist. By using directory traversal characters, it is possible to cause the uploaded files to be written to other directories.


-----------------------------225522414318920
Content-Disposition: form-data; name="attach_id"

423c2ce0_c0_18471		// legitimate request


-----------------------------225522414318920
Content-Disposition: form-data; name="attach_id"

../../../../../../..	       // manipulated request

The malicious request will cause the uploaded file to be written to root directory (C:\). The uploaded file will always be postfixed with the .tmp extension. A directory listing (C:\) is obtained as a side-effect of this exploitation. This is shown in the screen capture below.

If the user now sends this email to himself, he will be able to receive some of the files in C:\ as attachments. This is subjected to the maximum allowed size of his mail box.

A user is allowed to configure an email auto-reply message using the Webmail interface. This auto-reply message consist of a message subject and a message header. It is possible to inject javascript in both these fields, as shown below. If the Webmail administrator views this user's auto-reply message settings, the injected javascript will execute on his browser. This may be exploited by a malicious user to steal the Webmail administrator's cookies or to redirect the administrator's browser to malicious websites.

Another XSS vulnerability occurs when webmail.exe is displaying an error message in response to an invalid value in the page parameter. The error message also reveals the installation path. This may be tested using the following examples.


http://[hostname]/scripts/webmail.exe?page=..<script>alert('XSS')</script>
http://[hostname]/scripts/webmail.exe?page=..<script>document.location.href="http://www.security.org.sg"</script>

http://[hostname]/scripts/webmail.exe?page=garbage

Disclosure Timeline

18 Mar 05 - Vulnerability Discovered.
19 Mar 05 - Vulnerability Verification.
19 Mar 05 - Initial Vendor Notification.
22 Mar 05 - Vendor replied with fixed version.
23 Mar 05 - Public Release.