_____________________________________________________________________ b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 1 Advisory Name: Mailtraq remote file retriving Date: 3/22/00 Application: Mailtraq 1.1.4 for Win 95/98 Vendor: Fastraq Limited WWW: www.mailtraq.com Severity: Any user can browse and even download files from the remote computer Author: slash (tcsh@b0f.i-p.com) Homepage: b0f.morphed.net * Overview Mailtraq is a message server aimed at individuals, small and medium sized companies and home offices (SOHOS). Mailtraq’s primary goal is to provide online services to local users by storing incoming and outgoing news and mail messages offline, then connecting to the Internet at controlled intervals to deliver outgoing messages and collect and store incoming messages. Mailtraq provides fully featured Mail, News and Intranet services, full disk logging of all activity, comprehensive firewall facilities plus many other services such as a Finger client, Mail-to-News and News-To-Mail gateways, Web Administration, etc. Mailtraq requires either the Windows NT (Server or Workstation), Windows 95 or Windows 98 operating systems to be running on the machine on which it is loaded. * The Problem By default Mailtraq installs it's Webmail Administration menu which is accessible via http://some.domain.com/$/admin . The problem accoured when We tried to retrive http://some.domain.com/ We configured Mailtraq's WWW server root directory to be C:\Program Files\Mailtraq\websys\webmail Since that \websys\webmail directory doesn't contain index.html the server returned the complete file listing of the directory C:\Program Files\Mailtraq\websys\webmail. So we tried to exploit this a little bit, and discovered that anyone can browse and download files on the remote computer running Mailtraq Mail Server. Here is how to exploit it: http://127.0.0.1/./../../../ And You should get the complete listing of of files in c:\Program Files\ . When We tried to exploit this, we could only browse files from c:\Program Files\ . When we would add some more /../../../ to the exsisting URL we would get a "404 Page not found". We played around with this a little bit and found a way to exploit this too. To get to windows we should add some more /../../../ but a correct directory name was required. So we did it this way: http://127.0.0.1/../../../../../../../../../../././../../././..././.../.../windows/ Here it is!!! The complete listing of C:\windows . Now this is as far as we go. On Windows NT machines running Mailtraq You could just get sam._ , run l0phtcrack against it and compromise the machine. There is also a bug that allows the remote attacker to find out in what directory is Mailtraq installed in. By inputing a large string after http://some.domain.com/ the server will return the path to Mailtraq's installation directory. Exsample: http://127.0.0.1/../aaaaaaaaa[a lot of a's]aaaaaaa The output You should get will look like this: File "C:\Program Files\Mailtraq\websys\webmail\aaaaaa[a lot of a's]aaaaaa" could not be found * Vulnerable Versions We tested version 1.1.4. on Windows 98. All versions prior to 1.1.4 are vulnerable. We aren't sure if the Windows NT version is affected. * Fix At this time we aren't familiar with any fix for this bug. copyright © 1999-2000 slash, buffer0verfl0w security www.b0f.com