FIX: MailMarshal Vulnerability to ARJ Directory Traversal Attacks

Expand / Collapse
 

FIX: MailMarshal Vulnerability to ARJ Directory Traversal Attacks


This article applies to:

  • MailMarshal SMTP
  • MailMarshal Exchange

Symptoms:

  • MailMarshal vulnerable to Directory Traversal attacks when unpacking .ARJ archives
  • ZDI-CAN-003
  • CVE-2006-5487
  • ADV-2006-4457
  • Marshal Issue MM-151

Causes:

A vulnerability exists in the unpacking routines used in MailMarshal to un-compress .ARJ archive files.

Due to incorrect sandboxing of extracted filenames that contain directory traversal modifiers such as "../", an attacker could potentially cause an executable to be created in an arbitrary location.

While existing files cannot be overwritten, an attacker could leverage this vulnerability in a number of ways. For example, a malicious binary could be written in the "all users" startup folder.

Resolution:

To eliminate this vulnerability, take one of the following actions. For assistance, contact Trustwave Technical Support (support@marshal.com):

  1. Upgrade to the latest version of MailMarshal SMTP or MailMarshal Exchange. This vulnerability was eliminated with a code change in the following versions: 
    • MailMarshal SMTP 2006, release 6.1.8.
    • MailMarshal Exchange, release 5.1.1.
  2. Replace the vulnerable version of the ARJ unpacker with the latest version available from Marshal. The latest version is attached to this knowledge base article. To replace it, stop the Engine service on all MailMarshal nodes, navigate to the MailMarshal installation directory, and rename the existing unarj.exe to unarj.exe.old. Move the updated file into the MailMarshal installation directory and restart the Engine service.
  3. Create a separate disk partition (drive letter) used only for the MailMarshal unpacking folders. This solution will prevent unpacking applications from creating any files in a location outside the unpacking folders. This solution has the added benefit of improving MailMarshal performance.
  4. Run the MailMarshal Engine service using a Microsoft Windows account that has no rights to create files or folders outside of the MailMarshal unpacking folders. This solution requires folder security to be set correctly on all other folders on the server.

A fix for the vulnerability in MailMarshal SMTP 5.5 will be included in the next service release. Until that release is issued, action 2 above is recommended for MailMarshal SMTP sites that are unable to upgrade to the latest version.

Notes:

Threat Assessment
This vulnerability represents a serious potential threat to the security of MailMarshal servers and the networks they protect.

Note: Marshal is not aware of any active attempts against MailMarshal servers, or any customer impacts from this vulnerability.

Credit
Marshal appreciates the cooperation of an Anonymous Security Researcher working with TippingPoint and the Zero Day Initiative in identifying this issue.

Marshal Product Security Contact Information
Marshal takes the security and proper functionality of its products very seriously. Please contact support@marshal.com if you feel you have discovered a potential or actual security issue with a Marshal product.


To contact Trustwave about this article or to request support:


Rate this Article:
     

Attachments



Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster
.

Details
Article ID: 11450
Last Modified: 7/24/2008
Type: FIX
Rated 1 star based on 12 votes.
Article has been viewed 14,200 times.
Options