SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   IMail Server Vendors:   Ipswitch
Ipswitch's IMail Server Contains Multiple Flaws that Allow Remote Users to Access E-mail Accounts and Cause Denial of Service Conditions
SecurityTracker Alert ID:  1002535
SecurityTracker URL:  http://securitytracker.com/id/1002535
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 12 2001
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 7.04
Description:   Several vulnerabilities have been reported in Ipswitch's IMail Server. Remote users can guess session IDs or hijack e-mail sessions to access user accounts. Validated and authenticated remote users can access other user e-mail accounts and can cause denial of service conditions.

It is reported that IMail uses predictable session IDs that can be feasibly guessed through analysis. Some example session IDs are provided in the Source Message.

A remote user can hijack an e-mail session if the remote user is able to guess a valid session ID. The remote user does not need to know any user names or passwords to achieve this.

In addition, a remote user can attempt to obtain a session ID by other means. Because session IDs are URL based, they could be obtained (for example) by sending the target user an HTML-based e-mail with an embedded image link. When the user views the message, the image link will be followed, and the user's web browser will disclose the Session ID via the HTTP Referrer field. Other methods described in the Source Method are reportedly possible.

A remote but valid and authenticated mail user can gain access to other users' mailboxes by exploiting an input validation flaw and traversing the mailbox directory. The following type of URL can be used by a valid and authenticated 'user1' to access the main inbox of 'user2':

http://xx.xx.xx.xx:8383/<user1 sessionid>/readmail.cgi?uid=user1&mbx=../user2/Main

Information about the IMail directory structure is reportedly disclosed when a user sends an e-mail. An example email header is provided:

From: "XXXXXXXXXXXXXXXX" <XXXXXXXX@XXXXXXXXX>
Reply-To: <XXXXXXXX@XXXXXXXX>
X-Sender: <XXXXXX@XXXXXXXXX>
To: <XXXXXX@XXXXXXXXX>
Subject: Slides
X-Mailer: <IMail v7.04>
X-Attachments: f:\Imail\spool\web\file.zip;
X-Sanitizer: In
MIME-Version: 1.0
Content-Type: multipart/mixed; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

Finally, a valid and authenticated remote user that attempts to open a mailbox which exists out of 248 dot characters will cause the server's web interface to crash. The process reportedly remains running but will no longer respond to the defined port.

Impact:   A remote user can guess predictable session IDs to access e-mail accounts. A remote user can hijack e-mail sessions to access e-mail accounts. Validated and authenticated remote users can access other user e-mail accounts. Validate and authenticated remote users can cause denial of service conditions on the server. Remote users can obtain information about the IMail directory structure.
Solution:   The user mailbox disclosure vulnerability and the denial of service vulnerability can reportedly be corrected by the Ipswitch hotfix, reportedly available at:

ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe

The session ID guessing and session hijacking vulnerabilities can reportedly be eliminated by deselecting the "ignore source address in security check" option. This apparently requires all connections to originate from the IP address that was originally authenticated, which may not work in some gateway and proxy situations.

No solution was provided for the e-mail header information disclosure vulnerability.

Vendor URL:  www.ipswitch.com/support/IMail/patch-upgrades.html (Links to External Site)
Cause:   Access control error, Authentication error, Exception handling error, Input validation error, Randomization error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Ipswitch Imail 7.04 vulnerabilities








Hi all,

Below are vulnerabilities I have found in Imail (Ipswitch.com). 
Some of them can be very dangerous and it is there for recommended
that Imail users upgrade their software asap.

After reporting these vulnerabilities to Ipswitch on the 4e of this
month it only took 7 days before Ipswitch identified and reacted
on these issues. Fix information can be found at the end of this
email.

Cheers,

Niels Heinen

Greets to all @ safemode.org, @ alldas.de and @ #hacker_help (!shit ;) 






[ ** Vulnerability 1 -> Email sessions hijacking ** ] 

Mail sessions can be hijacked by using the session ID given to a
user after authentication.  This key can be obtained in several ways:    

- By ending HTML with embedded javascript 
- By sending HTML mail with embedded picture (referrer field)  
- By editing the web interface log file

As long as the user is still logged in and the session has not
expired it is possible for attackers to take over his account.
Exploitation of this vulnerability allow attackers to perform all
tasks the owner of the hijacked account could perform such as
deleting, sending and modifying emails. If the account has (Imail)
admin privileges the possibility exists that the attacker can add
and remove email addresses and domains. This could lead to a terrible
dataloss or abuse of the mail server in question.



[ ** Vulnerability 2 -> Mailbox disclosure ** ]

It is possible for normal users to gain access to mail boxes from other 
users. They can do this by abusing a directory traversal vulnerability 
in the mailbox variable send to the server:

http://xx.xx.xx.xx:8383/<user1 session
id>/readmail.cgi?uid=user1&mbx=../user2/Main

In the above example 'user1' is viewing the content of the 'Main' mailbox 
of user2. It is also possible to read the mails which are stored in this
mailbox simply by clicking on them.  



[ ** Vulnerability 3 Attachement information leak ** ]

Email attachements exposes the entire directory structure of where 
Imail and the spool directory are located. This information leak can be
very useful for attackers who are footprinting the server in question.

Example email header:

From: "XXXXXXXXXXXXXXXX" <XXXXXXXX@XXXXXXXXX>
Reply-To: <XXXXXXXX@XXXXXXXX>
X-Sender: <XXXXXX@XXXXXXXXX>
To: <XXXXXX@XXXXXXXXX>
Subject: Slides
X-Mailer: <IMail v7.04>
X-Attachments: f:\Imail\spool\web\file.zip;
X-Sanitizer: In
MIME-Version: 1.0
Content-Type: multipart/mixed; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit



[ ** Vulnerability 4 Denial of service attack ** ]

When trying to open a mailbox which exists out of 248 dots (other
character might work aswell) the web interface crashes without any
error message, CPU hogging or any visual alert. Even on the
administrator application the server will still be marked as running.
The process still keeps running but it will no longer listen to
the predefined port (8383).

This vulnerability can be exploited trough any CGI script used by
the web interface that invokes a user mailbox (readmail.cgi ,
printmail.cgi etc).



[ ** Vulnerability 5 Weak session ID's ** ]

Session ID's generated for authentication can be predicted by 
analyzing them:

45: Sesion ID:  /Xa20acc929dcecfce93a0afa688
46: Sesion ID:  /Xa20bcc929dcecccb9ba0afa688
47: Sesion ID:  /Xa208cc929dcf9a9c93a0afa688
48: Sesion ID:  /Xa209cc929dcf9b9998a0afa688
49: Sesion ID:  /Xa20ecc929dcf9bcccba0afa688
50: Sesion ID:  /Xa20fcc929dcf98c998a0afa688
51: Sesion ID:  /Xa20ccc929dcf9992c8a0afa688
52: Sesion ID:  /Xa20dcc929dcf9ecbcea0afa688
53: Sesion ID:  /Xa202cc929dcf9f9dcca0afa688
54: Sesion ID:  /Xa203cc929dcf9c9e92a0afa688
55: Sesion ID:  /Xa200cc929dcf9d9b9aa0afa688
56: Sesion ID:  /Xa201cc929dcf9dce92a0afa688
57: Sesion ID:  /Xa206cc929dcf92cb9aa0afa688
58: Sesion ID:  /Xa207cc929dcf939c93a0afa688
59: Sesion ID:  /Xa204cc929dcfcb999ba0afa688
60: Sesion ID:  /Xa205cc929dcfcbcc93a0afa688

By using calculated session keys for authentication it is possible for
attackers 
to gain access to accounts without knowing usernames or password.   



[ ** Counter these vulnerabilities ** ]

Vulnerability 2 and 4 can be countered by using the hotfix released by
Ipswitch
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe

More information about this update can be found on the Ipswitch web site:
http://www.ipswitch.com/support/imail/news.html 

Vulnerabilities 5 and 1 can be countered by not selecting the "ignore
source address in security check". This was those vulnerabilities cannot
exploited as long as the ip address of the attacker does not match with the
ip address of the user (watch out with gateways,proxies etc).

-- 
Sent through GMX FreeMail - http://www.gmx.net

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC