Strumpf Noir Society Advisories
! Public release !
<--#


-= Multiple Vulnerabilities In AMLServer =-

Release date: Monday, June 18, 2001


Introduction:

Air Messenger LAN Server is a paging gateway server for MS Windows
that allows you to send and recieve messages to a paging network 
over a TCP/IP LAN to phones, pagers and e-mail.

AMLServer is available from vendor Internet Software Solutions's 
website: http://www.internetsoftwaresolutions.org


Problem(s):

AMLServer Directory Traversal Problem

AMLServer's "Webpaging" http interface is susceptible to a directory
traversal attack. Adding the string "../" to a URL allows an 
attacker access to files outside of the webserver's publishing 
directory. This allows read access to any file on the server.


AMLServer Plaintext Password Storage

A second problem is found in the file pUser.Dat. All 
username/password combinations applicable to the various services 
provided by AMLServer are stored in this file in plaintext.


AMLServer Path Disclosure

The mentioned userfile is stored in the server's main directory.
The exact location can be obtained exploiting another problem in 
the web interface, a path disclosure bug. The http-header field 
'Location' contains the full path to servermaindir/Messages. 

For example:

$ telnet target 80|grep Location

Location: http://C:\PROGRA~1\ISS\AIRMES~1\Messages
Connection closed by foreign host.


(..)


Solution:

Vendor has been notified and has expressed the intention to fix 
these problems in version 4. Unfortunately, at the time of this 
advisory the vendor wasn't able to supply us with an approximate
date for this "fixed" release so we have not been able to verify 
this.

This was tested against AMLServer 3.4.2 on Win2k.


yadayadayada

Free sk8! (http://www.freesk8.org)

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) 
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!