mailing list archives
LanSuite 2003 - Multiple Vulnerabilities
From: Phuong Nguyen <dphuong () yahoo com>
Date: Wed, 24 Sep 2003 19:06:02 -0700 (PDT)
602Pro Lansuite 2003 - Multiple Vulnerabilities
602Pro LAN SUITE is an easy-to-install and manage
all-in-one server application. Its standards-based
SMTP/POP3 e-mail server provides effective e-mail
communication without the risk of destructive virus
infiltration and productivity robbing unsolicited
e-mail. Fax services seamlessly integrate into user
mailboxes to unify e-mail and fax message access.
More information at http://www.software602.com
Version : 602PRO LanSuite 2003, build 2003.0.3.0828
Tested Platform : Windows (2K/XP Pro)
Multiple vulnerabilities in the LanSuite 2003 software
(WebMail interface) which could allow attackers to
sensitive information about the users (Mailbox number,
Message ID, Login Time etc...) and read any file on
[Vulnerability #1] Sensitive Files Exposure
When a user logins to LanSuite 2003 WebMail server,
m602cl3w.exe will create a temporary file and folder
holding sensitive information about the current user
and they are accessible through the LanSuite WebMail
interface http://www.victim.com/mail/. Tempdirs.lst
file holds the temporary folder name of current users.
The temporary folder contains two files named
MSGlist.mid and MSGlist.mil. Messages ID are written
to MSGlist.mid file. The username and mailbox number
are written to MSGlist.mil.
Log files are also accessible by anyone at:
Attacker might gain sensitive information of username,
user's IPs, login time etc... This information could
be useful to assist in further exploit once they
obtained the file.
[Vulnerability #2] Arbitrary File Reading [required
valid user credential]
Malicious user can read any file on the server if they
have a valid LanSuite WebMail username and password.
M602cl3w.exe does check for dot-dot-slash most of the
time but not when the action "GetFile" is used. For
example, a malicious user can read the boot.ini file
by sending a request like this:
where "U" is the current user handles string.
Malicious users can also read other user's mails by
using the information they got from exploiting the
You can obatain the patch to fix those vulnerabilities
above at http://download3.software602.com/ls2003.exe
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
- LanSuite 2003 - Multiple Vulnerabilities Phuong Nguyen (Sep 25)