Title: Lyris ListManager Multiple Flaws Release Date: December 8, 2005 Patch Date: Unknown (v8.9b resolves most issues) Reported Date: June 21, 2005 Vendor: Lyris Systems Affected: Lyris ListManager v5.0-8.8a (most flaws) Summary: The Lyris ListManager software is vulnerable to numerous SQL injection, source code dislosure, and authentication bypass flaws. The ListManager software runs on Linux, Solaris, and Windows and can be configured to use one of the following database backends: PostgreSQL, Oracle, and MSSQL/MSDE. These flaws can be used to gain complete access to the ListManager data and often the host server itself. Vendor Status: No communication has been received from the vendor since June 24, 2005. Although most of the flaws have been fixed in the latest version, a handful of SQL injection flaws still exist. The vendor did not reply to a status request on November 21, 2005. Exploit Availability: A Metasploit Framework module has been developed for the Read Message Attachment SQL Injection flaw: lyris_attachment_mssql . No code is required to exploit the other flaws. Researcher(s): H D Moore (hdm[at]metasploit.com) Vulnerability Details: The Lyris ListManager software provides HTTP, SMTP, and NNTP services for the Linux, Windows, and Solaris platforms. The web interface uses an embedded version of the TCLHTTPd web server and the administrative tools are web applications written in the TCL scripting language. A number of input validation flaws have been discovered in the TCL scripts, many of which can result in a complete compromise of the hosting system. New Subscription Administrative Command Injection The web interface for subscribing a new user to a mailing list (/subscribe/subscribe), accepts a list password parameter (pw). This password parameter is checked for spaces, but is otherwise not sanitized before being placed into a buffer. This buffer is inserted into the processing queue as a new, authenticated command message. It is possible to use %0A%0D sequences, in combination with a line wrap feature in the command processing engine, to execute arbitrary list administration commands. This flaw has *not* been fixed in the current version (v8.9b). Read Message Attachment SQL Injection It is possible to execute arbitrary queries against the backened database by requesting a URL in the following format: /read/attachment/1;DELETE+FROM+TABLENAME;--/3. Depending on the database type, it may be possible to gain remote access to the system through this flaw. This flaw has been fixed in the latest version (8.9b). Multiple 'orderby' Parameter SQL Injection Flaws It is possibly to supply a SQL "ORDER BY" column to almost every list of items displayed in the web interface. The code which processes this field checks for space and tab characters, but each of the supported databases allow other forms of whitespace, When using the MSSQL/MSDE backend, it is possible to access the xp_cmdshell stored procedure by using newline characters as whitespace and substituting spaces with ASCII 0xFF in the cmd.exe string (the command interpreter treats 0xFF as a space). There are many other ways to exploit this, depending on the database type. This flaw has been fixed in the latest version (8.9b). MSDE Weak 'sa' Account Password The MSDE version of the ListManager installer uses a static password of 'lminstall' for the 'sa' user account during the installation process. After the installer finishes, the password is permanently set to 'lyris' followed by a 1 to 5 digit number. This number appears to be the process ID of the installer. This password is trivial to find with a brute-force attack and can lead an immediate system compromise. This flaw has *not* been fixed in the current version (v8.9b). TCLHTTPd Status Module Information Disclosure Some versions of the ListManager software allow requests to the "status" module (/status/) included with TCLHTTPd. This module returns detailed information about the server configuration. This flaw has been fixed in the latest version (8.9b). TCLHTTPd %00 TML Source Disclosure The TCLHTTPd service included with the Lyris ListManager product uses '.tml' files to store server-side TCL code. It is possible to view the source of any TML script by appending a url-encoded NULL byte to the request (/read/.tml%00). The server may request authentication, but this can be bypassed by specifying a any username ending in the @ character in conjunction with a bogus password. This flaw has been fixed in the latest version (8.9b). Error Message Information Disclosure Older versions of the ListManager software, such as v8.5, place the entire CGI environment into a hidden variable ('env') when a non-existent page is requested. This environment contains the software version and the directory path to the ListManager installation. Newer versions, such as v8.8, no longer dump the environment on 404 responses, but they do provide detailed diagnostic information when an error occurrs in a TML script. Many of TML scripts can be accessed without authentication and dislose information such as the installation path, software version, and often times SQL queries and code blocks. An example URL that reproduces the problem is: /read/rss?forum=404. This flaw has *not* been fixed in the current version (v8.9b). Notes: Lyris was very reluctant to respond to these issues or communicate with us in any form. Last Update: Dec 08 2005 Doc Version: 1.0 References: OSVDB-21547 OSVDB-21548 OSVDB-21549 OSVDB-21550 OSVDB-21551 OSVDB-21552 OSVDB-21559 Copyright © 2003-2005 metasploit.com msfdev[at]metasploit.com