RESOURCES
602ProLanSuite - Multiple Vulnerabilities

DESCRIPTION

"602Pro LAN SUITE is an easy-to-install and manage all-in-one server application. Its standards-based SMTP/POP3 e-mail server provides effective e-mail communication without the risk of destructive virus infiltration and productivity robbing unsolicited e-mail. Fax services seamlessly integrate into user mailboxes to unify e-mail and fax message access."

More information at http://www.software602.com.

SUMMARY

PRODUCT 602Pro LAN SUITE
VENDOR Software602
AFFECTED VERSIONS 602Pro LAN SUITE 2003.0.3.0828
SEVERITY
IDENTIFIER N/A
TESTED PLATFORM Windows 2000, Windows XP Professional)

Multiple vulnerabilities are found in the LanSuite 2003 software, particularly the WebMail interface, allowing an attacker to view sensitive information about the users and read arbitrary file on the server.

IMPACT

Sensitive Files Exposure.

Arbitrary File Reading.

DETAILS

[Vulnerability #1] Sensitive Files Exposure

When a user logins to LanSuite 2003 WebMail server, m602cl3w.exe will create temporary files and folder for holding related information about the current user and they are accessible through the LanSuite WebMail interface http://www.victim.com/mail/. Thetempdirs.lst file holds the temporary folder name of current users. The temporary folder contains two files named MSGlist.mid and MSGlist.mil, storing the Message IDs and LanSuite users' usernames and mailbox numbers respectively.

[Vulnerability #2] Arbitrary File Reading (required valid user credential)

Malicious user can read any file on the server if they have a valid LanSuite WebMail username and password. The executable M602cl3w.exe does not check for the dot-dot-slash (../) when the action "GetFile" is used. For example, a malicious user can read the boot.ini file stored on the server by sending a request like this:

http://www.victim.com/mail/m602cl3w.exe?A=GetFile&U=7921604D7A587937986E24242C0588&DL=0&FN=../../../boot.ini

where "U" is the current user handles string. The malicious user can also read other user's mails by using the information they got from exploiting the vulnerability #1.

PROOF OF CONCEPT

[Vulnerability #1] Sensitive Files Exposure

Log files are also accessible by anyone through the following location: http://www.victim.com/mail/S030904L.LOG (YY/MM/DD). The attacker may get a hold of sensitive information, such as username, users' IP addresses, login time, and so forth. This information could be useful to assist in further exploit.

[Vulnerability #2] Arbitrary File Reading (required valid user credential)

For example: http://www.victim.com/mail/m602cl3w.exe?A=GetFile&U=7921604D7A587937986E24242C0588&DL=0&FN=../../mboxes/605e5d4d/2f2284fd.dat

VENDOR STATUS

Vendor has verified and released a patch that addresses the issues. You can download the patch/fixed version at:http://download3.software602.com/ls2003.exe.

CREDIT

Phuong Nguyen

DISCLOSURE TIMELINE

N/A

APPENDIX

N/A

REFERENCES

N/A

We use cookies

This website uses cookies to ensure you get the best experience on our website. By continuing to browse the site, you agree to our use of cookies.Learn more