PT-2011-48: Multiple Vulnerabilities in AtMail

(PT-2011-48) Positive Technologies Security Advisory 
Multiple Vulnerabilities in AtMail

Vulnerable software

Webmail Interface AtMail 
Version: 1.04 and earlier

Application link: 
http://atmail.org/

Severity level

Severity level: High 
Impact: Multiple vulnerabilities 
Access Vector: Network exploitable 

CVSS v2: 
Base Score: 9.0 
Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)

CVE: not assigned

Software description

AtMail is an open source webmail client.

Vulnerability description

Specialists from the Positive Technologies Research Center have revealed multiple vulnerabilities in the AtMail webmail interface.

1. Arbitrary Files Loading
The system allows one to load files attached to email letters. File extension is not checked; thus, arbitrary files including .php files can be downloaded.
As a result, the file will be available at:
https://localhost/tmp/username@host.com/username@host.com-string-PositiveShell.php

2. Path Traversal
Vulnerability in the file: /compose.php
Vulnerable code fragment:
$var['unique'] = preg_replace('/\.\.\//', '', $var['unique']);
The substring "../" is deleted from the $var['unique'] parameter, but the process is not recursive. Thus, if the parameter contains a substring "..././", than the substring "../" will be left after deletion.
As a result, Path Traversal attacks are possible.
Exploitation example:
https://localhost/compose.php?
func=renameattach&unique=/..././..././..././..././..././..././..././..././..././..././..././.../
./tmp/positive.test%00&Attachment[]=/../../../../../../../../../etc/passwd

3. Arbitrary Files Copying
The system allows one to copy the attached files. The name of the file to be copied is not checked, so an arbitrary file can be copied.
The name of the file to be created is not checked for special characters (e.g. null bytes), which allows one to create a file with arbitrary extension.
Furthermore, an attacker will be able to create this file in an arbitrary directory if he/she exploits the Path Traversal vulnerability described above.
Vulnerability in the files:
/compose.php
/libs/Atmail/SendMsg.php (the methods "renameattach" "copyFile")
Exploitation example:
https://localhost/compose.php?func=renameattach&unique=1.txt%00&Attachment[]
=/../../../../../../../../../etc/passwd
As a result, the file will be available at:
https://localhost/tmp/username@host.com/username@host.com-1.txt

4. Arbitrary Files Reading
The name of the file being read is improperly verified. Filtering mechanism can be bypassed. It allows attackers to read arbitrary files.
Vulnerability in the file: mime.php
Vulnerable code fragment:
$var['src'] = rawurldecode($_REQUEST['file']);
$var['src'] = preg_replace('/^.+[\\\\\\/]/', '', $var['src']); // Don't allow to go down a dir,
sanity check
If the file name contains a slash (‘/’), then all characters before it will be deleted.
However, the regular expression doesnt use the s modifier, and the %0a character will be recognized as two characters (linefeed + carriage return).
The control symbol . without the s modifier can replace only one character in a regular expression; thus, only characters before %0a will be checked.
Exploitation example:
https://localhost/mime.php?file=%0A/../../../../../../../../../etc/passwd&name=positive.html

5. Sensitive Information Disclosure
The file info.php calls the function phpinfo(), which displays information about the system configuration. https://localhost/install/info.php

How to fix

Update your software up to the latest version

Advisory status

06.12.2011 - Vendor is notified
06.02.2012 - Vulnerability details were sent to CERT
26.03.2012 - Vendor releases fixed version and details
26.03.2012 - Public disclosure

Credits

The vulnerability was discovered by Sergey Scherbel, Positive Research Center (Positive Technologies Company)

References

http://en.securitylab.ru/lab/PT-2011-48
http://www.kb.cert.org/vuls/id/743555

Reports on the vulnerabilities previously discovered by Positive Research:

http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/

About Positive Technologies

Positive Technologies www.ptsecurity.com is among the key players in the IT security market in Russia.

The principal activities of the company include the development of integrated tools for information security monitoring (MaxPatrol); providing IT security consulting services and technical support; development of the Securitylab leading Russian information security portal.

Among the clients of Positive Technologies, there are more than 40 state enterprises, more than 50 banks and financial organizations, 20 telecommunication companies, more than 40 plant facilities, as well as IT, service and retail companies from Russia, the CIS countries, the Baltic States, China, Ecuador, Germany, Great Britain, Holland, Iran, Israel, Japan, Mexico, the Republic of South Africa, Thailand, Turkey, and the USA.

Positive Technologies is a team of highly skilled developers, advisers and experts with years of vast hands-on experience. The company specialists possess professional titles and certificates; they are the members of various international societies and are actively involved in the IT security field development.