exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

b0f1-Mailtraq.txt

b0f1-Mailtraq.txt
Posted Apr 3, 2000
Authored by Slash | Site b0f.com

Buffer0verflow Security Advisory #1 - Mailtraq remote file retriving. The Mailtraq message server for Windows NT, 95, and 98 allows any file on the system to be read via a /../../ bug. All versions prior to 1.1.4 are affected.

tags | remote
systems | windows
SHA-256 | 811946ab0ebf72ba32eae273bd408419d58277b2cc6bec4feb1dad2886c8fc0e

b0f1-Mailtraq.txt

Change Mirror Download



_____________________________________________________________________
b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 1


Advisory Name: Mailtraq remote file retriving
Date: 3/22/00
Application: Mailtraq 1.1.4 for Win 95/98
Vendor: Fastraq Limited
WWW: www.mailtraq.com
Severity: Any user can browse and even download
files from the remote computer
Author: slash (tcsh@b0f.i-p.com)
Homepage: b0f.morphed.net


* Overview
Mailtraq is a message server aimed at individuals, small and medium sized
companies and home offices (SOHOS). Mailtraq’s primary goal is to provide online
services to local users by storing incoming and outgoing news and mail messages
offline, then connecting to the Internet at controlled intervals to deliver
outgoing messages and collect and store incoming messages. Mailtraq provides fully
featured Mail, News and Intranet services, full disk logging of all activity,
comprehensive firewall facilities plus many other services such as a Finger client,
Mail-to-News and News-To-Mail gateways, Web Administration, etc. Mailtraq requires
either the Windows NT (Server or Workstation), Windows 95 or Windows 98 operating
systems to be running on the machine on which it is loaded.





* The Problem
By default Mailtraq installs it's Webmail Administration menu which is
accessible via https://some.domain.com/$/admin . The problem accoured when We tried
to retrive https://some.domain.com/ We configured Mailtraq's WWW server root directory
to be C:\Program Files\Mailtraq\websys\webmail Since that \websys\webmail directory
doesn't contain index.html the server returned the complete file listing of the
directory C:\Program Files\Mailtraq\websys\webmail. So we tried to exploit this a
little bit, and discovered that anyone can browse and download files on the remote
computer running Mailtraq Mail Server. Here is how to exploit it:

https://127.0.0.1/./../../../

And You should get the complete listing of of files in c:\Program Files\ . When We
tried to exploit this, we could only browse files from c:\Program Files\ . When we
would add some more /../../../ to the exsisting URL we would get a "404 Page not
found". We played around with this a little bit and found a way to exploit this too.
To get to windows we should add some more /../../../ but a correct directory name
was required. So we did it this way:

https://127.0.0.1/../../../../../../../../../../././../../././..././.../.../windows/

Here it is!!! The complete listing of C:\windows . Now this is as far as we go.
On Windows NT machines running Mailtraq You could just get sam._ , run l0phtcrack
against it and compromise the machine.

There is also a bug that allows the remote attacker to find out in what directory
is Mailtraq installed in. By inputing a large string after https://some.domain.com/
the server will return the path to Mailtraq's installation directory. Exsample:

https://127.0.0.1/../aaaaaaaaa[a lot of a's]aaaaaaa

The output You should get will look like this:

File "C:\Program Files\Mailtraq\websys\webmail\aaaaaa[a lot of a's]aaaaaa" could
not be found





* Vulnerable Versions
We tested version 1.1.4. on Windows 98. All versions prior to 1.1.4 are
vulnerable. We aren't sure if the Windows NT version is affected.




* Fix
At this time we aren't familiar with any fix for this bug.




copyright © 1999-2000
slash, buffer0verfl0w security
www.b0f.com

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close