SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   602Pro LAN Suite Vendors:   Software602
602LAN SUITE Input Validation Bug Lets Remote Authenticated Users Upload and Execute Files
SecurityTracker Alert ID:  1013106
SecurityTracker URL:  http://securitytracker.com/id/1013106
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 8 2005
Impact:   Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2004.0.05.0207; Tested on 2004.0.04.1221
Description:   Tan Chew Keong of SIG^2 Vulnerability Research reported a vulnerability in 602LAN SUITE. A remote authenticated user can upload files to arbitrary directories.

The software does not properly validate user-supplied filenames before uploading files as e-mail attachments. A remote authenticated webmail user can, for example, upload an executable file to the web server's CGI directory and then load a URL to execute the uploaded file with the privileges of the target web server.

The vendor was notified on January 22, 2005.

The original advisory is available at:

http://www.security.org.sg/vuln/602lansuite1221.html

Impact:   A remote authenticated user can upload files to arbitrary directories on the target system. Then, a remote user can cause the web server to execute the uploaded file.
Solution:   The vendor has released a fixed version (2004.0.05.0207), available at:

http://www.software602.com/download/

Vendor URL:  www.software602.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [SIG^2 G-TEC] 602LAN SUITE Web Mail Vulnerability Allows File Upload


SIG^2 Vulnerability Research Advisory

602LAN SUITE Web Mail Vulnerability Allows File Upload to Arbitrary 
Directories

by Tan Chew Keong
Release Date: 07 Feb 2005

ADVISORY URL
http://www.security.org.sg/vuln/602lansuite1221.html


SUMMARY

602LAN SUITE (http://www.software602.com/products/ls/) is a secure mail 
server with antivirus and anti-spam, built-in firewall with NAT and Web 
content filter proxy for controlled Internet sharing. The integrated Web 
server provides access to the Web Mail client, shared address book, 
remote administration and user home pages. SSL, ISAPI, CGI, and FastCGI 
support is available.

A directory traversal vulnerability was found in 602LAN SUITE's Web Mail 
file attachment upload feature that may be exploited to upload files to 
arbitrary locations on the server. A malicious mail user may upload an 
EXE file to the /cgi-bin directory of the server, and execute it by 
requesting the URL of the upload EXE file.


TESTED SYSTEM

602LAN SUITE Version 2004.0.04.1221 on English WinXP SP2, Win2K SP4.


DETAILS

602LAN SUITE's Web Mail allows a logon mail user to upload file 
attachments when composing an email. Lack of input sanitization of the 
supplied filename allows the user to upload files to arbitrary location 
on the server. This may be exploited by a malicious web mail user to 
upload EXE files to the /cgi-bin directory of the server. After 
uploading the EXE file to /cgi-bin, it is possible to execute that file 
by directly requesting it's URL (i.e. 
http://[hostname]/cgi-bin/test.exe). Successful exploitation will allow 
upload and execution of arbitrary code/EXE files on the server.


PATCH

Upgrade to 602LAN SUITE version 2004.0.05.0207.


DISCLOSURE TIMELINE

22 Jan 05 - Vulnerability Discovered.
22 Jan 05 - Initial Vendor Notification using online Bug Report Form.
24 Jan 05 - Second Vendor Notification using online Bug Report Form and 
Email.
26 Jan 05 - Initial Vendor Reply.
04 Feb 05 - Vendor provided beta version.
07 Feb 05 - Received Notification that Fixed Version was Released.
07 Feb 05 - Public Release


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html

"IT Security...the Gathering. By enthusiasts for enthusiasts."
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC