Weakness in GoldMine(tm) Email Manager allows arbitrary code
execution
Systems: GoldMine
5.x, 5.70 and 6.00 prior to version 30503
Vulnerable: 5.xx, 5.70.11111,5.70.20404,6.00.21021,6.00.30203,6.00.30403
Not Vulnerable: 5.70.30503, 6.00.30503
Severity: Serious
Category: Arbitrary Execution of Code of Hackers Choice
Classification: Input Validation Error
BugTraq-ID: 7741
CVE-Number: CAN-2003-0241
Remote Exploit: yes
Local Exploit: no
Vendor URL: www.frontrange.com
Author: Michael S. Scheidell, SECNAP Network Security
Original Release date: May 29th, 2003
Updated: June 05, 2003- Added BugTraq-ID and reference to older
versions
Notifications: FrontRange(tm) notified April 27th, 2003, Fix released May
29th, 2003
Discussion: (From FrontRange web site)
Quickly and easily equips professionals, SOHOs (Small Offices/Home Offices), small businesses and teams with automated customer/contact
management and workgroup tools.
Problem: By sending a specially mal-crafted email to a user who opens it
with the GoldMine mail agent, a hacker can run arbitrary code of the hackers choice on the users computer. This includes remote trojans, irc
zombies, spyware, malware, remote key loggers, or any program a hackers
wants to.
This program will be running inside the corporate network,
behind the firewall and access anything the infected user has access to.
The GoldMine mail agent does not even run the html email in the 'security
zone' as does Microsoft(tm) Outlook, but passes anything that looks like
HTML to be executed unrestricted directly to the default Browser (usually
IE).
User does not even have to open the email, as the default 'preview' option
will pass the first few lines of the email to IE which will trigger the
exploit, in fact, just highlighting the email in order to delete it could
trigger the exploit.
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2003-0241
to this issue. This is a candidate for inclusion in the CVE list (<http://cve.mitre.org>), which
standardizes names for security problems.
Exploit: No exploit is necessary, as there are already examples in viruses
and trojans that were designed to attack Microsoft Outlook and Outlook
Express.
Microsoft fixed these by patching both readers and allowing the user to
set the security zone for reading HTML email in the 'insecure' settings.
To see an exhaustive list of what can happen when email is passed to IE,
see <http://www.guninski.com/browsers.html>
Vendor Response: FrontRange immediately verified the existence of this
vulnerability, created a patch and scheduled its release as soon as QA
testing was done. FrontRange is concerned about it's users security and
has issued a patch on May 29th for their current 6.0 version, as well as
their legacy 5.70 version.
Solution: FrontRange advises its clients that they should upgrade to the latest version of GoldMine Business Contact Manager. Please see FrontRange
support page for more information: <http://support.frontrange.com/>.
SECNAP has tested FrontRange provided solution on 5.70.30503 and it runs
HTML through IE restricted security zone now, just like outlook and outlook express. If you still fail the test, you need to check the IE
restricted security zone settings.
Workaround:
If you cannot upgrade, then you should immediately disable IE as email
viewer, in "Edit >> Preferences >> Internet >> More Options >> Advanced"
Administrators can change user preferences from "File >>
Configure >> User Settings" or via editing the users ini files and change [Internet] section.
EmailReadertype to 1
[Internet]
EmailReaderType=1
Michael Scheidell, SECNAP Network Security, www.secnap.com
Credit:
The original problem with IIE, Microsoft Outlook and Outlook Express was
found by George Grunski and involved insecure default reading of a malformed HTML Email in Outlook and OE and insecure running of HTML (see
http://www.guniski.com/browsers.html). Also, thanks to Jeff Bell, VP
Information Technology, Zino Mortgage http://www.zinomortgage.com and
Angel Alexander Magaņa of FrontRange for their assistance in verifying the problem.
Original copy of this report can be found here
http://www.secnap.com/security/gm001.html
Copyright:
Above Copyright(c) 2003, SECNAP Network Security, LLC. World rights reserved.
This security report can be copied and redistributed electronically provided it is not edited and is quoted in its entirety without written
consent of SECNAP Network Security, LLC. Additional information or permission may be obtained by contacting SECNAP Network Security at
561-999-5000
|
CALL ME NOW