Gordano GMS - Multiple Vulnerabilities

.:: DESCRIPTION ::.
"Gordano Messaging Suite is the powerful messaging server running on Windows, Linux, Solaris and AIX. It is being used by over twenty four thousand customers,in more than ninety countries, covering all sectors (Airlines, Government Agencies, Education,Industry, etc..)"

Gordano Messaging Suite is being widely used by some major organizations such as Compaq, Xerox, NASA, Cisco System, AT&T, FedEx.

More information at http://www.gordano.com

.:: SUMMARY ::.
Affected Version : Gordano Messaging Suite version 9, build 3138 (latest build)
Tested Platform : Windows 2000, Windows XP Professional, Linux(x86)

E-CQURITY found several security flaws in the software that could result in DoS attack against the GMS application and sensitive information disclosure if exploited by the attacker.

.:: DETAILS ::.
[Vulnerability #1] Remote DoS

The program x:\/bin/WWW.exe listens on the following ports to provide GMS Administration, WebMail Professional, WebMail Express, WebMail Mobile, Instant Messaging, and Web Server services to users: 80, 8000, 8025, 8081, 8888, 9000. When a user sending a request like this /../.. to GMS Web Server at port 80 will cause the WWW.exe process terminated and all services that WWW.exe provides shutdown immediately.

~$ telnet 192.168.1.69
Trying 192.168.1.69...
Connected to 192.168.1.69
Escape character is '^]'.
GET /../.. HTTP/1.0

Connection closed by foreign host.

On Linux, the vulnerability doesn’t cause the /gordano/bin/WWW process terminated but it never times out and if an attacker opens up 15-20 connections sending /../.. requests it will probably enough to keep GMS Server busy and deny providing services to other legitimate users.

Restarting the service is needed in order to gain normal functionality.

[Vulnerability #2] Information Disclosure [require valid user credential]

The script alertlist.mml provides information about users who have logged in to the GMS Server and discloses some useful information to the attacker, such as usernames, domains, login time, and et al. It’s supposed to be accessed by GMS Server's Administrator only but a normal WebMail user can also access to that script without the need of login as an admin. The script can be normally accessed through http://www.victim.com:8000/admin/reports/alertlist.mml

.:: VENDOR STATUS ::.
Vendor has verified and released a patch that addresses the issues.

For Linux users, you can go here to download your patch:
ftp://ftp.gordano.com/gms/3138/hotfixes/h20030905/linux/www_h20030905.zip
Patch for Windows users is also available here:
ftp://ftp.gordano.com/gms/3138/hotfixes/h20030905/windows/www_h20030905.zip

.:: AUTHOR ::.
Phuong Nguyen