COMMAND

    Elron IM

SYSTEMS AFFECTED

    Elron IM

PROBLEM

    Erik Tayler found following.   At least two products of  the Elron
    Internet  Manager  family  of  tools  contain  directory traversal
    vulnerabilities.  The problem exists in the following products:
    - IM Message Inspector
    - IM Anti-Virus

    Elron Internet Manager products that are not vulnerable are:
    - IM Firewall

    IM Web Inspector  has not been  tested.  If  the IM Web  Inspector
    comes with Elron Software's proprietary web server as well, it  is
    undoubtedly vulnerable as well.

    Exact version numbers were not obtained, this can be attributed to
    the tragic loss of 3 VMWare images [it was a painful experience].
    Vulnerabilities were discovered on 2-21-01, so whichever versions
    were current at time of discovery, those are the vulnerable
    versions.

    The problem is within Elron Software's proprietary web server.  It
    does  not  perform  proper   path  checking,  allowing   potential
    intruders  to  perform  basic  directory  traversal  attacks.  For
    example:

        http://63.72.97.3:80/../../../../../../boot.ini will

    in most  cases, return  the specified  file.   In some cases, more
    "../" sequences will be required.

    As a side note,  this method was also  used to obtain a  SAM file.
    Using the GET perl script that comes with the LWP toolset, one can
    do the following:

        GET http://target/../../../../../../winnt/repair/sam._ >sam._

    Then just expand  and begin cracking.   It's doubtful that  anyone
    will encounter much of these,  but just in case, this  was written
    up.

SOLUTION

    The error in this note is now fixed in MI/AV v3.0.4.  In addition,
    The  IM  Web  Inspector  and   IM  Firewall  products  contain   a
    different web server implemention  and have been confirmed  not to
    contain this vulnerability.