This article applies to:
- MailMarshal SMTP
- MailMarshal Exchange
- MailMarshal vulnerable to Directory Traversal attacks when unpacking .ARJ archives
- Marshal Issue MM-151
A vulnerability exists in the unpacking routines used in MailMarshal to un-compress .ARJ archive files.
Due to incorrect sandboxing of extracted filenames that contain directory traversal modifiers such as "../", an attacker could potentially cause an executable to be created in an arbitrary location.
While existing files cannot be overwritten, an attacker could leverage this vulnerability in a number of ways. For example, a malicious binary could be written in the "all users" startup folder.
To eliminate this vulnerability, take one of the following actions. For assistance, contact Trustwave Technical Support (email@example.com):
- Upgrade to the latest version of MailMarshal SMTP or MailMarshal Exchange. This vulnerability was eliminated with a code change in the following versions:
Replace the vulnerable version of the ARJ unpacker with the latest version available from Marshal. The latest version is attached to this knowledge base article. To replace it, stop the Engine service on all MailMarshal nodes, navigate to the MailMarshal installation directory, and rename the existing unarj.exe to unarj.exe.old. Move the updated file into the MailMarshal installation directory and restart the Engine service.
- MailMarshal SMTP 2006, release 6.1.8.
- MailMarshal Exchange, release 5.1.1.
Create a separate disk partition (drive letter) used only for the MailMarshal unpacking folders. This solution will prevent unpacking applications from creating any files in a location outside the unpacking folders. This solution has the added benefit of improving MailMarshal performance.
Run the MailMarshal Engine service using a Microsoft Windows account that has no rights to create files or folders outside of the MailMarshal unpacking folders. This solution requires folder security to be set correctly on all other folders on the server.
A fix for the vulnerability in MailMarshal SMTP 5.5 will be included in the next service release. Until that release is issued, action 2 above is recommended for MailMarshal SMTP sites that are unable to upgrade to the latest version.
This vulnerability represents a serious potential threat to the security of MailMarshal servers and the networks they protect.
Note: Marshal is not aware of any active attempts against MailMarshal servers, or any customer impacts from this vulnerability.
Marshal appreciates the cooperation of an Anonymous Security Researcher working with TippingPoint and the Zero Day Initiative in identifying this issue.
Marshal Product Security Contact Information
Marshal takes the security and proper functionality of its products very seriously. Please contact firstname.lastname@example.org if you feel you have discovered a potential or actual security issue with a Marshal product.