TITLE ===== 602Pro Lansuite 2003 - Multiple Vulnerabilities DESCRIPTION =========== “602Pro LAN SUITE is an easy-to-install and manage all-in-one server application. Its standards-based SMTP/POP3 e-mail server provides effective e-mail communication without the risk of destructive virus infiltration and productivity robbing unsolicited e-mail. Fax services seamlessly integrate into user mailboxes to unify e-mail and fax message access.” More information at http://www.software602.com PROBLEMS ========= Version : 602PRO LanSuite 2003, build 2003.0.3.0828 (latest build) Tested Platform : Windows (2K/XP Pro) Multiple vulnerabilities in the LanSuite 2003 software (WebMail interface) which could allow attackers to view sensitive information about the users (Mailbox number, Message ID, Login Time etc...) and read any file on the server. DETAILS ======= [Vulnerability #1] Sensitive Files Exposure When a user logins to LanSuite 2003 WebMail server, m602cl3w.exe will create a temporary file and folder holding sensitive information about the current user and they are accessible through the LanSuite WebMail interface http://www.victim.com/mail/. Tempdirs.lst file holds the temporary folder name of current users. The temporary folder contains two files named MSGlist.mid and MSGlist.mil. Messages ID are written to MSGlist.mid file. The username and mailbox number are written to MSGlist.mil. Log files are also accessible by anyone at: http://www.victim.com/mail/S030904L.LOG (YY/MM/DD). Attacker might gain sensitive information of username, user's IPs, login time etc... This information could be useful to assist in further exploit once they obtained the file. [Vulnerability #2] Arbitrary File Reading [required valid user credential] Malicious user can read any file on the server if they have a valid LanSuite WebMail username and password. M602cl3w.exe does check for dot-dot-slash most of the time but not when the action "GetFile" is used. For example, a malicious user can read the boot.ini file by sending a request like this: http://www.victim.com/mail/m602cl3w.exe?A=GetFile&U=7921604D7A587937986E24242C0588&DL=0&FN=../../../boot.ini where "U" is the current user handle’s string. Malicious users can also read other user's mails by using the information they got from exploiting the vulnerability #1. For example: http://www.victim.com/mail/m602cl3w.exe?A=GetFile&U=7921604D7A587937986E24242C0588&DL=0&FN=../../mboxes/605e5d4d/2f2284fd.dat VENDOR STATUS ============== You can obatain the patch to fix those vulnerabilities above at http://download3.software602.com/ls2003.exe Phuong Nguyen __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com