Ipswitch sent out a message weeks ago strongly recommending people to
download the patch stated in the below report. I was not able to personally
duplicate the vulnerability on our system after the patch was applied (I did
not try before...).
Sheldon
----- Original Message -----
From: "Scott Phelps" <[EMAIL PROTECTED]>
To: "I mail Forum" <[EMAIL PROTECTED]>
Sent: Wednesday, August 30, 2000 8:29 PM
Subject: [IMail Forum] FW: Vulnerability Report On IPSWITCH's IMail
> If I read this correctly you have to be able to change the templates ????
>
> Does this make any sense?
>
> Scott Phelps
> NT Administrator
> WebKorner Internet Services
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> www.webkorner.com <http://www.webkorner.com>
> Charlotte: 370-0333
> Salisbury: 637-7435
>
>
> -----Original Message-----
> From: Bugtraq List [mailto:[EMAIL PROTECTED]]On Behalf Of * *
> Sent: Wednesday, August 30, 2000 3:50 AM
> To: [EMAIL PROTECTED]
> Subject: Vulnerability Report On IPSWITCH's IMail
>
>
> Vulnerability Report On IPSWITCH's IMail
>
>
> Date Published: August 30 2000
>
> Advisory ID: TS003
>
> Bugtraq ID: http://www.securityfocus.com/bid/1617
>
> CVE CAN: None at this time
>
> Title: IPSWITCH IMail File Attachment Vulnerability
>
> Class: Access Validation Error
>
> Remotely Exploitable: Yes
>
> Locally Exploitable: Yes
>
> Vulnerability Description:
>
> IPSWITCH ships a product titled IMail, an email server for usage on NT
> servers serving
> clients their mail via a web interface. To this end the IMail server
> provides a web server
> typically running on port 8383 for it's end users to access. Via this
> interface users may
> read and send mail, as well as mail with file attachments. Certain
> versions of IMail do not
> perform proper access validation however resulting in users being able to
> attach files resident
> on the server. The net result of this is users may attach files on the
> server to which they should
> have no access. This access is limited to the user privileges which the
> server is being run as, typically
> SYSTEM.
>
> It should be noted that once a user attachs the files in question the
> server deletes them.
>
> A more technical description of this problem follows towards the end of
> this advisory.
>
> Vulnerable Packages/Systems:
>
> - IMail 5.0
> - IMail 6.0
> - IMail 6.1
> - IMail 6.2
> - IMail 6.3
> - IMail 6.4
>
> Suspected Vulnerable:
>
> - IMail 5.0.5
> - IMail 5.0.6
> - IMail 5.0.7
> - IMail 5.0.8
>
> Solution/Vendor Information/Workaround:
>
> Dowload fix for IMail 6.0 and up:
>
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/Imail/imailwebpatch604c.exe
>
> Vendor notified on:
>
> The vendor was notified on July 17, 2000. At the time of this notification
> the vendor asigned
> the following tracking number to this vulnerability - T20000717001J.
>
> Credits:
>
> This vulnerability was discovered and reported by Timescape
> <[EMAIL PROTECTED]>.
>
> This advisory was drafted with the help of the SecurityFocus.com
> Vulnerability
> Help Team. For more information or assistance drafting advisories please
> mail
> [EMAIL PROTECTED]
>
>
> Referance:
>
> Further advisories on IPSWITCH Products:
>
> http://www.securityfocus.com/bid/1094
> http://www.securityfocus.com/bid/914
> http://www.securityfocus.com/bid/880
> http://www.securityfocus.com/bid/789
> http://www.securityfocus.com/bid/547
> http://www.securityfocus.com/bid/503
> http://www.securityfocus.com/bid/506
> http://www.securityfocus.com/bid/504
> http://www.securityfocus.com/bid/502
> http://www.securityfocus.com/bid/505
> http://www.securityfocus.com/bid/218
> http://www.securityfocus.com/bid/217
>
>
> Technical Description - Exploit/Concept Code:
>
>
> Here is a sample mail header sent by IMAIL web services which
> has an attachment. Please note that this is line wrapped for readability.
>
> Date: Tue, 11 Jul 2000 13:10:28 +0200
> Message-ID: <[EMAIL PROTECTED]>
> MIME-Version: 1.0 Content-Type: multipart/mixed;
> boundary="==IMail_v5.0=="
> From: "Timescape" <[EMAIL PROTECTED]>
> Reply-To: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Subject: test
> X-Mailer: <IMail v5.01>
> X-Attachments: D:\IMAIL\spool\gonzo2.jpg ;
> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
> Return-Path: <[EMAIL PROTECTED]>
> X-OriginalArrivalTime: 11 Jul 2000 11:20:48.0256 (UTC) FILETIME=
> [10327800:01BFEB2A]
>
> This is a multi-part message in MIME format.
>
> --==IMail_v5.0==
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
>
> --==IMail_v5.0==
> Content-Type: application/octet-stream;
> name="gonzo2.jpg "
> Content-Transfer-Encoding: base64
>
> --==IMail_v5.0==--
>
> The thing which we will be exploiting is the
> X-Attachments: D:\IMAIL\spool\gonzo2.jpg ;
>
> I made it work by modifing the compose message HTML file and
> saved it locally. Then i can just arrange the path to the
> attachment so that it can read
>
> X-Attachments: D:\IMAIL\spool\..\bar\users\admin\main.mbx ;
>
>
> DISCLAIMER:
>
> No responsibility whatsoever is taken for any correct/incorrect use of
this
> information. This is for informational purposes only.
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
