Public Release for ScanMail Vulnerability
I was not sure to release this one or not, but apparently I did.
While reading
http://www.trendmicro.com/ftp/documentation/guides/smd3-admin-guide.pdf,
Starting Page : 108 things became interesting. What if some Admin did not
follow the guide!
On Lotus Domino Server, Trend ScanMail can be installed as the server's
antivirus, according to the guide
some interesting templates can enable the Administrator to control the
ScanMail through a web-enabled
Interface. these templates are smency.nsf, smconf.nsf, smvlog.nsf, smquar.nsf,
smmsg.nsf, smtime.nsf, smhelp.nsf, smftypes.nsf
Coding a quick scanner searching for this file using NASL /Nessus ,http://cgi.nessus.org/plugins/dump.php3?id=14312
and thanks to the Guys on Nessus for upgrading my original script.
Anyway, these files in general can allow you to
- Gather more information about the target system
- Edit/Delete virus pattern files, then email your own trojanized emails,
which will be treated by victims as trusted scanned email.
- With some tweaking you can upload a web-shell script and increase your
access.
Tools Released
- Check for most of the Lotus Server Templates in General Download Here
If URL is not found then Risk Clear.
If found but password protected then Risk Low.
If found with no protection then Risk High.
Checks also for dying servers and firewall protected HTTP error messages.
- http://cgi.nessus.org/plugins/dump.php3?id=14312
To Read More about the templates you can target
http://it.trendmicro-europe.com/enterprise/support/knowledge_base_detail.php?solutionId=19621
Updated Section on 10th Nov 2004 : References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1003
- http://securitytracker.com/alerts/2004/Nov/1012082.html
- http://www.securityfocus.com/bid/11612
- http://xforce.iss.net/xforce/xfdb/17962
