602LAN SUITE Input Validation Bug Lets Remote Authenticated Users Upload and Execute Files
|
SecurityTracker Alert ID: 1013106 |
SecurityTracker URL: http://securitytracker.com/id/1013106
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 8 2005
|
Impact:
Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 2004.0.05.0207; Tested on 2004.0.04.1221
|
Description:
Tan Chew Keong of SIG^2 Vulnerability Research reported a vulnerability in 602LAN SUITE. A remote authenticated user can upload files to arbitrary directories.
The software does not properly validate user-supplied filenames before uploading files as e-mail attachments. A remote authenticated webmail user can, for example, upload an executable file to the web server's CGI directory and then load a URL to execute the uploaded file with the privileges of the target web server.
The vendor was notified on January 22, 2005.
The original advisory is available at:
http://www.security.org.sg/vuln/602lansuite1221.html
|
Impact:
A remote authenticated user can upload files to arbitrary directories on the target system. Then, a remote user can cause the web server to execute the uploaded file.
|
Solution:
The vendor has released a fixed version (2004.0.05.0207), available at:
http://www.software602.com/download/
|
Vendor URL: www.software602.com/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Subject: [SIG^2 G-TEC] 602LAN SUITE Web Mail Vulnerability Allows File Upload
|
SIG^2 Vulnerability Research Advisory
602LAN SUITE Web Mail Vulnerability Allows File Upload to Arbitrary
Directories
by Tan Chew Keong
Release Date: 07 Feb 2005
ADVISORY URL
http://www.security.org.sg/vuln/602lansuite1221.html
SUMMARY
602LAN SUITE (http://www.software602.com/products/ls/) is a secure mail
server with antivirus and anti-spam, built-in firewall with NAT and Web
content filter proxy for controlled Internet sharing. The integrated Web
server provides access to the Web Mail client, shared address book,
remote administration and user home pages. SSL, ISAPI, CGI, and FastCGI
support is available.
A directory traversal vulnerability was found in 602LAN SUITE's Web Mail
file attachment upload feature that may be exploited to upload files to
arbitrary locations on the server. A malicious mail user may upload an
EXE file to the /cgi-bin directory of the server, and execute it by
requesting the URL of the upload EXE file.
TESTED SYSTEM
602LAN SUITE Version 2004.0.04.1221 on English WinXP SP2, Win2K SP4.
DETAILS
602LAN SUITE's Web Mail allows a logon mail user to upload file
attachments when composing an email. Lack of input sanitization of the
supplied filename allows the user to upload files to arbitrary location
on the server. This may be exploited by a malicious web mail user to
upload EXE files to the /cgi-bin directory of the server. After
uploading the EXE file to /cgi-bin, it is possible to execute that file
by directly requesting it's URL (i.e.
http://[hostname]/cgi-bin/test.exe). Successful exploitation will allow
upload and execution of arbitrary code/EXE files on the server.
PATCH
Upgrade to 602LAN SUITE version 2004.0.05.0207.
DISCLOSURE TIMELINE
22 Jan 05 - Vulnerability Discovered.
22 Jan 05 - Initial Vendor Notification using online Bug Report Form.
24 Jan 05 - Second Vendor Notification using online Bug Report Form and
Email.
26 Jan 05 - Initial Vendor Reply.
04 Feb 05 - Vendor provided beta version.
07 Feb 05 - Received Notification that Fixed Version was Released.
07 Feb 05 - Public Release
GREETINGS
All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html
"IT Security...the Gathering. By enthusiasts for enthusiasts."
|
|