Hi all, Below are vulnerabilities I have found in Imail (Ipswitch.com). Some of them can be very dangerous and it is there for recommended that Imail users upgrade their software asap. After reporting these vulnerabilities to Ipswitch on the 4e of this month it only took 7 days before Ipswitch identified and reacted on these issues. Fix information can be found at the end of this email. Cheers, Niels Heinen Greets to all @ safemode.org, @ alldas.de and @ #hacker_help (!shit ;) [ ** Vulnerability 1 -> Email sessions hijacking ** ] Mail sessions can be hijacked by using the session ID given to a user after authentication. This key can be obtained in several ways: - By ending HTML with embedded javascript - By sending HTML mail with embedded picture (referrer field) - By editing the web interface log file As long as the user is still logged in and the session has not expired it is possible for attackers to take over his account. Exploitation of this vulnerability allow attackers to perform all tasks the owner of the hijacked account could perform such as deleting, sending and modifying emails. If the account has (Imail) admin privileges the possibility exists that the attacker can add and remove email addresses and domains. This could lead to a terrible dataloss or abuse of the mail server in question. [ ** Vulnerability 2 -> Mailbox disclosure ** ] It is possible for normal users to gain access to mail boxes from other users. They can do this by abusing a directory traversal vulnerability in the mailbox variable send to the server: http://xx.xx.xx.xx:8383/<user1 session id>/readmail.cgi?uid=user1&mbx=../user2/Main In the above example 'user1' is viewing the content of the 'Main' mailbox of user2. It is also possible to read the mails which are stored in this mailbox simply by clicking on them. [ ** Vulnerability 3 Attachement information leak ** ] Email attachements exposes the entire directory structure of where Imail and the spool directory are located. This information leak can be very useful for attackers who are footprinting the server in question. Example email header: From: "XXXXXXXXXXXXXXXX" <XXXXXXXX@XXXXXXXXX> Reply-To: <XXXXXXXX@XXXXXXXX> X-Sender: <XXXXXX@XXXXXXXXX> To: <XXXXXX@XXXXXXXXX> Subject: Slides X-Mailer: <IMail v7.04> X-Attachments: f:\Imail\spool\web\file.zip; X-Sanitizer: In MIME-Version: 1.0 Content-Type: multipart/mixed; charset="iso-8859-1" Content-Transfer-Encoding: 8bit [ ** Vulnerability 4 Denial of service attack ** ] When trying to open a mailbox which exists out of 248 dots (other character might work aswell) the web interface crashes without any error message, CPU hogging or any visual alert. Even on the administrator application the server will still be marked as running. The process still keeps running but it will no longer listen to the predefined port (8383). This vulnerability can be exploited trough any CGI script used by the web interface that invokes a user mailbox (readmail.cgi , printmail.cgi etc). [ ** Vulnerability 5 Weak session ID's ** ] Session ID's generated for authentication can be predicted by analyzing them: 45: Sesion ID: /Xa20acc929dcecfce93a0afa688 46: Sesion ID: /Xa20bcc929dcecccb9ba0afa688 47: Sesion ID: /Xa208cc929dcf9a9c93a0afa688 48: Sesion ID: /Xa209cc929dcf9b9998a0afa688 49: Sesion ID: /Xa20ecc929dcf9bcccba0afa688 50: Sesion ID: /Xa20fcc929dcf98c998a0afa688 51: Sesion ID: /Xa20ccc929dcf9992c8a0afa688 52: Sesion ID: /Xa20dcc929dcf9ecbcea0afa688 53: Sesion ID: /Xa202cc929dcf9f9dcca0afa688 54: Sesion ID: /Xa203cc929dcf9c9e92a0afa688 55: Sesion ID: /Xa200cc929dcf9d9b9aa0afa688 56: Sesion ID: /Xa201cc929dcf9dce92a0afa688 57: Sesion ID: /Xa206cc929dcf92cb9aa0afa688 58: Sesion ID: /Xa207cc929dcf939c93a0afa688 59: Sesion ID: /Xa204cc929dcfcb999ba0afa688 60: Sesion ID: /Xa205cc929dcfcbcc93a0afa688 By using calculated session keys for authentication it is possible for attackers to gain access to accounts without knowing usernames or password. [ ** Counter these vulnerabilities ** ] Vulnerability 2 and 4 can be countered by using the hotfix released by Ipswitch ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe More information about this update can be found on the Ipswitch web site: http://www.ipswitch.com/support/imail/news.html Vulnerabilities 5 and 1 can be countered by not selecting the "ignore source address in security check". This was those vulnerabilities cannot exploited as long as the ip address of the attacker does not match with the ip address of the user (watch out with gateways,proxies etc). -- Sent through GMX FreeMail - http://www.gmx.net
