Vulnerability Report On IPSWITCH's IMail





Date Published: August 30 2000



Advisory ID: TS003



Bugtraq ID: http://www.securityfocus.com/bid/1617



CVE CAN: None at this time



Title: IPSWITCH IMail File Attachment Vulnerability



Class: Access Validation Error



Remotely Exploitable: Yes



Locally Exploitable: Yes



Vulnerability Description:



IPSWITCH ships a product titled IMail, an email server for usage on NT

servers serving

clients their mail via a web interface. To this end the IMail server

provides a web server

typically running on port 8383 for it's end users to access. Via this

interface users may

read and send mail, as well as mail with file attachments. Certain

versions of IMail do not

perform proper access validation however resulting in users being able to

attach files resident

on the server. The net result of this is users may attach files on the

server to which they should

have no access. This access is limited to the user privileges which the

server is being run as, typically

SYSTEM.



It should be noted that once a user attachs the files in question the

server deletes them.



A more technical description of this problem follows towards the end of

this advisory.



Vulnerable Packages/Systems:



 - IMail 5.0

 - IMail 6.0

 - IMail 6.1

 - IMail 6.2

 - IMail 6.3

 - IMail 6.4



Suspected Vulnerable:



 - IMail 5.0.5

 - IMail 5.0.6

 - IMail 5.0.7

 - IMail 5.0.8



Solution/Vendor Information/Workaround:



Dowload fix for IMail 6.0 and up:

http://ftp.ipswitch.com/Ipswitch/Product_Support/Imail/imailwebpatch604c.exe



Vendor notified on:



The vendor was notified on July 17, 2000. At the time of this notification

the vendor asigned

the following tracking number to this vulnerability - T20000717001J.



Credits:



This vulnerability was discovered and reported by Timescape

.



This advisory was drafted with the help of the SecurityFocus.com

Vulnerability

Help Team. For more information or assistance drafting advisories please

mail

vulnhelp@securityfocus.com.





Referance:



Further advisories on IPSWITCH Products:



http://www.securityfocus.com/bid/1094

http://www.securityfocus.com/bid/914

http://www.securityfocus.com/bid/880

http://www.securityfocus.com/bid/789

http://www.securityfocus.com/bid/547

http://www.securityfocus.com/bid/503

http://www.securityfocus.com/bid/506

http://www.securityfocus.com/bid/504

http://www.securityfocus.com/bid/502

http://www.securityfocus.com/bid/505

http://www.securityfocus.com/bid/218

http://www.securityfocus.com/bid/217





Technical Description - Exploit/Concept Code:





Here is a sample mail header sent by IMAIL web services which

has an attachment. Please note that this is line wrapped for readability.



Date: Tue, 11 Jul 2000 13:10:28 +0200

Message-ID: <200007111310.AA2374238664@bar.com>

MIME-Version: 1.0 Content-Type: multipart/mixed;

boundary="==IMail_v5.0=="

From: "Timescape" 

Reply-To: 

To: 

Subject: test

X-Mailer: 

X-Attachments: D:\IMAIL\spool\gonzo2.jpg ;

X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700

Return-Path: 

X-OriginalArrivalTime: 11 Jul 2000 11:20:48.0256 (UTC) FILETIME=

[10327800:01BFEB2A]



This is a multi-part message in MIME format.



--==IMail_v5.0==

Content-Type: text/plain;

        charset="iso-8859-1"

Content-Transfer-Encoding: 7bit



--==IMail_v5.0==

Content-Type: application/octet-stream;

        name="gonzo2.jpg "

Content-Transfer-Encoding: base64



--==IMail_v5.0==--



The thing which we will be exploiting is the

X-Attachments: D:\IMAIL\spool\gonzo2.jpg ;



I made it work by modifing the compose message HTML file and

saved it locally.  Then i can just arrange the path to the

attachment so that it can read



X-Attachments: D:\IMAIL\spool\..\bar\users\admin\main.mbx ;





DISCLAIMER:



No responsibility whatsoever is taken for any correct/incorrect use of this

information.  This is for informational purposes only.