TITLE
=====
602Pro Lansuite 2003 - Multiple Vulnerabilities

DESCRIPTION
===========
“602Pro LAN SUITE is an easy-to-install and manage
all-in-one server application. Its standards-based
SMTP/POP3 e-mail server provides effective e-mail
communication without the risk of destructive virus
infiltration and productivity robbing unsolicited
e-mail. Fax services seamlessly integrate into user
mailboxes to unify e-mail and fax message access.”

More information at http://www.software602.com

PROBLEMS
=========
Version      : 602PRO LanSuite 2003, build 2003.0.3.0828
(latest build)
Tested Platform    : Windows (2K/XP Pro)

Multiple vulnerabilities in the LanSuite 2003 software
(WebMail interface) which could allow attackers to
view
sensitive information about the users (Mailbox number,
Message ID, Login Time etc...) and read any file on
the server.

DETAILS
=======
[Vulnerability #1] Sensitive Files Exposure

When a user logins to LanSuite 2003 WebMail server,
m602cl3w.exe will create a temporary file and folder
holding sensitive information about the current user
and they are accessible through the LanSuite WebMail
interface http://www.victim.com/mail/. Tempdirs.lst
file holds the temporary folder name of current users.
The temporary folder contains two files named
MSGlist.mid and MSGlist.mil. Messages ID are written
to MSGlist.mid file.  The username and mailbox number
are written to MSGlist.mil.

Log files are also accessible by anyone at:
http://www.victim.com/mail/S030904L.LOG (YY/MM/DD).
Attacker might gain sensitive information of username,
user's IPs, login time etc... This information could
be useful to assist in further exploit once they
obtained the file.


[Vulnerability #2] Arbitrary File Reading [required
valid user credential]

Malicious user can read any file on the server if they
have a valid LanSuite WebMail username and password.
M602cl3w.exe does check for dot-dot-slash most of the
time but not when the action "GetFile" is used. For
example, a malicious user can read the boot.ini file
by sending a request like this:

http://www.victim.com/mail/m602cl3w.exe?A=GetFile&U=7921604D7A587937986E24242C0588&DL=0&FN=../../../boot.ini
where "U" is the current user handle’s string.
Malicious users can also read other user's mails by
using the information they got from exploiting the
vulnerability #1. 

For example: 
http://www.victim.com/mail/m602cl3w.exe?A=GetFile&U=7921604D7A587937986E24242C0588&DL=0&FN=../../mboxes/605e5d4d/2f2284fd.dat

VENDOR STATUS
==============
You can obatain the patch to fix those vulnerabilities
above at http://download3.software602.com/ls2003.exe

Phuong Nguyen

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com