Ipswitch Imail 7.04 vulnerabilities

[Niels Heinen <zilli0n () gmx net>]

Hi all,

Below are vulnerabilities I have found in Imail (Ipswitch.com). 
Some of them can be very dangerous and it is there for recommended
that Imail users upgrade their software asap.

After reporting these vulnerabilities to Ipswitch on the 4e of this
month it only took 7 days before Ipswitch identified and reacted
on these issues. Fix information can be found at the end of this
email.

Cheers,

Niels Heinen

Greets to all @ safemode.org, @ alldas.de and @ #hacker_help (!shit ;) 






[ ** Vulnerability 1 -> Email sessions hijacking ** ] 

Mail sessions can be hijacked by using the session ID given to a
user after authentication.  This key can be obtained in several ways:    

- By ending HTML with embedded javascript 
- By sending HTML mail with embedded picture (referrer field)  
- By editing the web interface log file

As long as the user is still logged in and the session has not
expired it is possible for attackers to take over his account.
Exploitation of this vulnerability allow attackers to perform all
tasks the owner of the hijacked account could perform such as
deleting, sending and modifying emails. If the account has (Imail)
admin privileges the possibility exists that the attacker can add
and remove email addresses and domains. This could lead to a terrible
dataloss or abuse of the mail server in question.



[ ** Vulnerability 2 -> Mailbox disclosure ** ]

It is possible for normal users to gain access to mail boxes from other 
users. They can do this by abusing a directory traversal vulnerability 
in the mailbox variable send to the server:

http://xx.xx.xx.xx:8383/<user1 session
id>/readmail.cgi?uid=user1&mbx=../user2/Main

In the above example 'user1' is viewing the content of the 'Main' mailbox 
of user2. It is also possible to read the mails which are stored in this
mailbox simply by clicking on them.  



[ ** Vulnerability 3 Attachement information leak ** ]

Email attachements exposes the entire directory structure of where 
Imail and the spool directory are located. This information leak can be
very useful for attackers who are footprinting the server in question.

Example email header:

From: "XXXXXXXXXXXXXXXX" <XXXXXXXX@XXXXXXXXX>
Reply-To: <XXXXXXXX@XXXXXXXX>
X-Sender: <XXXXXX@XXXXXXXXX>
To: <XXXXXX@XXXXXXXXX>
Subject: Slides
X-Mailer: <IMail v7.04>
X-Attachments: f:\Imail\spool\web\file.zip;
X-Sanitizer: In
MIME-Version: 1.0
Content-Type: multipart/mixed; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit



[ ** Vulnerability 4 Denial of service attack ** ]

When trying to open a mailbox which exists out of 248 dots (other
character might work aswell) the web interface crashes without any
error message, CPU hogging or any visual alert. Even on the
administrator application the server will still be marked as running.
The process still keeps running but it will no longer listen to
the predefined port (8383).

This vulnerability can be exploited trough any CGI script used by
the web interface that invokes a user mailbox (readmail.cgi ,
printmail.cgi etc).



[ ** Vulnerability 5 Weak session ID's ** ]

Session ID's generated for authentication can be predicted by 
analyzing them:

45: Sesion ID:  /Xa20acc929dcecfce93a0afa688
46: Sesion ID:  /Xa20bcc929dcecccb9ba0afa688
47: Sesion ID:  /Xa208cc929dcf9a9c93a0afa688
48: Sesion ID:  /Xa209cc929dcf9b9998a0afa688
49: Sesion ID:  /Xa20ecc929dcf9bcccba0afa688
50: Sesion ID:  /Xa20fcc929dcf98c998a0afa688
51: Sesion ID:  /Xa20ccc929dcf9992c8a0afa688
52: Sesion ID:  /Xa20dcc929dcf9ecbcea0afa688
53: Sesion ID:  /Xa202cc929dcf9f9dcca0afa688
54: Sesion ID:  /Xa203cc929dcf9c9e92a0afa688
55: Sesion ID:  /Xa200cc929dcf9d9b9aa0afa688
56: Sesion ID:  /Xa201cc929dcf9dce92a0afa688
57: Sesion ID:  /Xa206cc929dcf92cb9aa0afa688
58: Sesion ID:  /Xa207cc929dcf939c93a0afa688
59: Sesion ID:  /Xa204cc929dcfcb999ba0afa688
60: Sesion ID:  /Xa205cc929dcfcbcc93a0afa688

By using calculated session keys for authentication it is possible for
attackers 
to gain access to accounts without knowing usernames or password.   



[ ** Counter these vulnerabilities ** ]

Vulnerability 2 and 4 can be countered by using the hotfix released by
Ipswitch
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe

More information about this update can be found on the Ipswitch web site:
http://www.ipswitch.com/support/imail/news.html 

Vulnerabilities 5 and 1 can be countered by not selecting the "ignore
source address in security check". This was those vulnerabilities cannot
exploited as long as the ip address of the attacker does not match with the
ip address of the user (watch out with gateways,proxies etc).

-- 
Sent through GMX FreeMail - http://www.gmx.net