Skip to content
ECQ Logo

602ProLanSuite - Multiple Vulnerabilities

Description

"602Pro LAN SUITE is an easy-to-install and manage all-in-one server application. Its standards-based SMTP/POP3 e-mail server provides effective e-mail communication without the risk of destructive virus infiltration and productivity robbing unsolicited e-mail. Fax services seamlessly integrate into user mailboxes to unify e-mail and fax message access."

More information at http://www.software602.com

Summary
Product602Pro LAN SUITE
Severity
VendorSoftware602
IdentifierN/A
Affected Versions602Pro LAN SUITE 2003.0.30828
Tested PlatformWindows 2000, Windows XP Professional

Multiple vulnerabilities are found in the LanSuite 2003 software, particularly the WebMail interface, allowing an attacker to view sensitive information about the users and read arbitrary file on the server.

Impact

Sensitive Files Exposure,

Arbitrary File Reading.

Detail

[Vulnerability #1] Sensitive Files Exposure

The WebMail application inside LanSuite server, WGKC.lbs.exe will create temporary files and folder for holding related information about the current user and they are accessible through the LanSuite WebMail interface http://www.victim.com/mail/. The Temp{ip_list} file holds the temporary folder name of current users. The Malicious user can read any file on the server if they have a valid LanSuite WebMail username and password to access and to guess the names of temporary files, domain names, usernames and mailbox numbers respectively.

[Vulnerability #2] Arbitrary File Reading (required valid user credentials)

Malicious user can read any file on the server if they have a valid LanSuite WebMail username and password. The executable WGKC.lbs.exe does not check for the dot-dot-slash '../' when the action "GetFile" is used. For example, a malicious user can read the boot.ini file stored on the server by sending a request like this:

http://www.victim.com/mail/WGKC.lbs.exe?t=getfile&s&file=1b6505745397798623429cC0358&f5=c:\/MFRC_.././boot.ini

where "U" is the current user handles string. The malicious user can also read other user's mails by using the vulnerability #1.

Proof of Concept

[Vulnerability #1] Sensitive Files Exposure

Log files are also accessible by anyone through the following location http://www.victim.com/mail/LOGYYMMDDhhii. The attacker may get a hold of sensitive information, such as usernames, users' IP addresses, login time, and so forth. This information could be useful to assist in further attacks.

[Vulnerability #2] Arbitrary File Reading (required valid user credentials)

For example: http://www.victim.com/mail/WGKC.lbs.exe?t=GetFile&U=792166405745397798623429cC0358&f5=c:\/MFRC_./../browser/606e5da62087d6f4.dat

Vendor Status

Vendor has verified and released a patch that addresses the issues. You can download the patch/fixed version at: http://download3.software602.com/ls/2003.eea

Disclosure Timeline

N/A

Credit

Phuong Nguyen (ECQ)

Appendix

N/A

References

N/A