Register | Forget Password | Login
Search :
SecurityReason

News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research

WLB

WLB Database

Send to WLB

About WLB

RSS

News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Corporate

Contact

About us

Services

SecurePHP

Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Details : SecurityAlert

  Topic : MicroWorld MailScan - Multiple Vulnerabilities within Admin-Webinterface
  SecurityAlert : 4172
  CVE : CVE-2008-3726
  CVE : CVE-2008-3727
  CVE : CVE-2008-3728
  CVE : CVE-2008-3729
  CWE : CWE-79
  CWE : CWE-22
  CWE : CWE-264
  CWE : CWE-287
  SecurityRisk : High  alert  (About)
  Remote Exploit : Yes
  Local Exploit : No
  Victim interaction required : Yes
  Exploit Given : No
  Credit : Oliver
  Published : 22.08.2008

  Affected Software : MicroWorld Technologies, Mailscan, 5.6.a



  Advisory Text :  

Please find attached the advisory regarding MicroWorld's MailScan for
Mailservers.

Cheers,

Oliver



MicroWorld MailScan - Multiple Vulnerabilities within Admin-Webinterface
========================================================================


>> Affected Products <<


- MailScan for Mail Servers

* Version: 5.6.a with espatch1
* Win32 Platform

Other Mailscan Products, Versions, also, if available
for other platforms, were not tested.


>> Product/Company Information <<


From MicroWorld's website: "MailScan 5.6 is the world's most
advanced Real-Time AntiVirus and AntiSpam solution for Mail Servers.
The software safeguards organizations against Virus, Worm, Trojan and
many other malware breeds with futuristic and proactive technologies.
Employing an array of intelligent filters, MailScan offers powerful
protection against Spam and Phishing mails along with comprehensive
Content Security."

http://www.microworld.de
http://www.mwti.net

>> Vulnerabilities <<


MailScan offers "Web Based Administration". The administration console
(Server.exe) is running as an http service on tcp port 10443 with
LocalSystem privileges. The communication is plain http without
SSL/TLS.

The interface is vulnerable to the attacks described below. All attacks

do *not* require authentication.


-- >> Directory Traversal <<

It is possible to access files on the system outside of the webroot
directory with privileges of the LocalSystem account:

echo -e "GET /../../../../boot.ini HTTP/1.0\r\n\r\n" | nc <server>
<port>


-- >> Authentication bypass <<

After a login attempt with an invalid username and password, the
application
is setting a cookie at the webclient with the following content:

Set-Cookie: User=admin; path=/
Set-Cookie: login=true; path=/
Set-Cookie: IsAdmin=false; path=/
Set-Cookie: IP=; path=/


Providing valid username and password will give a cookie with the
following content:

Set-Cookie: User=admin; path=/
Set-Cookie: login=true; path=/
Set-Cookie: IsAdmin=true; path=/
Set-Cookie: IP=; path=/

It is sufficient to set the cookie as shown above to get authenticated
on the
admin interface. The user "admin" is a default account, with a password
set during
installation.

*BUT* requesting a resource on the webserver *without* supplying a
cookie will
also grant access to the requested resource. The attacker just needs to
know
the path to the resource.



-- >> Cross-Site-Scripting (XSS) <<


http://ip:10443/<script>alert("No_Problem_its_just_an_admin_interface")</sc
ript>



-- >> Access to Logfile <<


It is possible to access the logfiles of the application because the
folder
"/LOG" inside the webroot ("C:\Program Files\Common
Files\MicroWorld\WebServer")
is not protected.... note that this does not require the directory
traversal,
mentioned before and thus is imho a separate vuln.
The logfiles contain different information, like installation path, ip
adresses,
and error messages.

http://ip:10443/LOG/W072808.LOG (Format seems to be
W:Month:Date:year)

and

http://ip:10443/LOG/Weblog.LOG

>> History <<

28. July 2008 - Touching base with MicroWorld's Support via Messenger
28. July 2008 - Sending High-Level description of vulns and RFP-Policy to
agree
30. July 2008 - MicroWorld agreed to the policy
30. July 2008 - Detailed description and PoC-Script creating an admin user
without
authenticatin send to Microworld
01. Aug. 2008 - Asking Microworld if they were able to reproduce
02. Aug. 2008 - MicroWorld answered: "Not Yet"
05. Aug. 2008 - Asking Microworld if they were able to reproduce, and if
yes, when
a patch will be available
13. Aug. 2008 - No response from Microworld; I informed them that i will
publish
an advisory within the next days
15. Aug. 2008 - Advisory release


>> Credits <<

mail: Oliver-dot-karow-at-gmx-dot-de
advisory: http://www.oliverkarow.de/research/mailscan.txt
blog:
http://oliver.greyhat.de/2008/08/15/multiple-vulnerabilities-within-mailsca
n-admin-interface/






  References :

http://xforce.iss.net/xforce/xfdb/44517
http://www.securityfocus.com/bid/30700
http://www.oliverkarow.de/research/mailscan.txt
http://secunia.com/advisories/31534
http://marc.info/?l=bugtraq&m=121881329424635&w=2



  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

Microsoft VISTA TCP/IP stack buffer overflow

high- 2008-11-27

Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.

Apache rss

» Apache Tomcat information
   disclosure

» Apache Tomcat <=
   6.0.18 UTF8 Directory
   Traversal Vulnerability

» Apache Tomcat information
   disclosure vulnerability

» Apache Tomcat XSS
   vulnerability

PHP rss

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file

» PHP 5.2.6 (error_log)
   safe_mode bypass

Copyright © SecurityReason. All Rights Reserved.