[ SOURCE: http://www.secureroot.com/security/advisories/9678229418.html ] Vulnerability Report On IPSWITCH's IMail Date Published: August 30 2000 Advisory ID: TS003 Bugtraq ID: http://www.securityfocus.com/bid/1617 CVE CAN: None at this time Title: IPSWITCH IMail File Attachment Vulnerability Class: Access Validation Error Remotely Exploitable: Yes Locally Exploitable: Yes Vulnerability Description: IPSWITCH ships a product titled IMail, an email server for usage on NT servers serving clients their mail via a web interface. To this end the IMail server provides a web server typically running on port 8383 for it's end users to access. Via this interface users may read and send mail, as well as mail with file attachments. Certain versions of IMail do not perform proper access validation however resulting in users being able to attach files resident on the server. The net result of this is users may attach files on the server to which they should have no access. This access is limited to the user privileges which the server is being run as, typically SYSTEM. It should be noted that once a user attachs the files in question the server deletes them. A more technical description of this problem follows towards the end of this advisory. Vulnerable Packages/Systems: - IMail 5.0 - IMail 6.0 - IMail 6.1 - IMail 6.2 - IMail 6.3 - IMail 6.4 Suspected Vulnerable: - IMail 5.0.5 - IMail 5.0.6 - IMail 5.0.7 - IMail 5.0.8 Solution/Vendor Information/Workaround: Dowload fix for IMail 6.0 and up: ftp://ftp.ipswitch.com/Ipswitch/Product_Support/Imail/imailwebpatch604c.exe Vendor notified on: The vendor was notified on July 17, 2000. At the time of this notification the vendor asigned the following tracking number to this vulnerability - T20000717001J. Credits: This vulnerability was discovered and reported by Timescape . This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail vulnhelp@securityfocus.com. Referance: Further advisories on IPSWITCH Products: http://www.securityfocus.com/bid/1094 http://www.securityfocus.com/bid/914 http://www.securityfocus.com/bid/880 http://www.securityfocus.com/bid/789 http://www.securityfocus.com/bid/547 http://www.securityfocus.com/bid/503 http://www.securityfocus.com/bid/506 http://www.securityfocus.com/bid/504 http://www.securityfocus.com/bid/502 http://www.securityfocus.com/bid/505 http://www.securityfocus.com/bid/218 http://www.securityfocus.com/bid/217 Technical Description - Exploit/Concept Code: Here is a sample mail header sent by IMAIL web services which has an attachment. Please note that this is line wrapped for readability. Date: Tue, 11 Jul 2000 13:10:28 +0200 Message-ID: <200007111310.AA2374238664@bar.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="==IMail_v5.0==" From: "Timescape" Reply-To: To: Subject: test X-Mailer: X-Attachments: D:\IMAIL\spool\gonzo2.jpg ; X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Return-Path: X-OriginalArrivalTime: 11 Jul 2000 11:20:48.0256 (UTC) FILETIME= [10327800:01BFEB2A] This is a multi-part message in MIME format. --==IMail_v5.0== Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit --==IMail_v5.0== Content-Type: application/octet-stream; name="gonzo2.jpg " Content-Transfer-Encoding: base64 --==IMail_v5.0==-- The thing which we will be exploiting is the X-Attachments: D:\IMAIL\spool\gonzo2.jpg ; I made it work by modifing the compose message HTML file and saved it locally. Then i can just arrange the path to the attachment so that it can read X-Attachments: D:\IMAIL\spool\..\bar\users\admin\main.mbx ; DISCLAIMER: No responsibility whatsoever is taken for any correct/incorrect use of this information. This is for informational purposes only.