[SIG^2 G-TEC] ArGoSoft Mail Server Webmail Multiple Directory Traversal Vulnerabilities

[<chewkeong () security org sg>]

SIG^2 Vulnerability Research Advisory

ArGoSoft Mail Server Webmail Multiple Directory Traversal Vulnerabilities

by Tan Chew Keong
Release Date: 09 Feb 2005

ADVISORY URL
http://www.security.org.sg/vuln/argosoftmail1873.html


SUMMARY

ArGoSoft Mail Server (http://www.argosoft.com/mailserver/) is a fully functional SMTP/POP3/Finger (Pro version also has 
IMAP module) server for Windows 95/98/NT/2000, which will let you turn your computer into the email system. It's very 
compact, takes about 1-5 Mb of disk space (depending on the version), does not have any specific memory requirements, 
and what is the most important - it's very easy to use.

Multiple directory traversal vulnerabilities were found in ArGoSoft Mail Server's Webmail that may be exploited by a 
logon mail user to upload files to arbitrary directories on the server, retrieve arbitrary files from the server, 
access other users' emails, and create/delete arbitrary directories on the server. 
 

TESTED SYSTEM

ArGoSoft Mail Server Version 1.8.7.3 on English WinXP SP2, Win2K SP4.

 
DETAILS

This advisory documents 4 directory traversal vulnerabilities in ArGoSoft Mail Server's Webmail. Exploitation of these 
vulnerabilites requires a valid logon account on the Webmail. 


a. Directory traversal in email attachment filename allows file upload to arbitrary directories

ArGoSoft Mail Server's Webmail allows a logon mail user to upload file attachments when composing an email. Lack of 
input sanitization of the supplied filename allows the user to upload files to arbitrary locations on the server. This 
may be exploited by a malicious mail user to upload and replace other users' password file (userdata.rec) with a copy 
that has known password, thus allowing him/her to logon as other users.


b. Directory traversal in _msgatt.rec allows any arbitrary files on the server to be sent as attachment

By uploading a specially crafted _msgatt.rec file containing directory traversal characters, it is possible to cause 
the server to send any arbitrary files on the server as attachment to the user. A malicious user may exploit this 
vulnerability to email other user's password file (userdata.rec) to himself.


c. Directory traversal in /msg and /delete "Folder" parameter allows reading/deleting of other user's emails

The /msg and /delete link allows the Webmail user to view/delete his/her emails.  It is possible to view/delete other 
user's email by using directory traversal characters in the "Folder" parameter and specifying a correct UIDL. 


d. Directory traversal in /folderadd and /folderdelete "Folder" parameter allows creating/deleting arbitrary 
directories on the server

The /folderadd and /folderdelete links allows the Webmail user to create/delete mail folders. It is possible to use 
directory traversal characters in the Folder parameter to create/delete directories in arbitrary locations on the 
server. A malicious user may exploit this vulnerability to delete other users' entire mail directories, which is 
effectively the same as removing the users from the system.


PATCH

Upgrade to version v1.8.7.4.

 
DISCLOSURE TIMELINE

06 Feb 05 - Vulnerability Discovered.
08 Feb 05 - Initial Vendor Notification.
08 Feb 05 - Received Notification from Vendor that Fixed Version was Released.
09 Feb 05 - Public Release.


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html 

"IT Security...the Gathering. By enthusiasts for enthusiasts."