This article applies to:
- Trustwave MailMarshal (SEG)
- Trustwave ECM/MailMarshal Exchange
Symptoms:
- MailMarshal vulnerable to Directory Traversal attacks when unpacking .ARJ archives
- ZDI-CAN-003
- CVE-2006-5487
- ADV-2006-4457
- Marshal Issue MM-151
Causes:
A vulnerability exists in the unpacking routines used in certain older versions of MailMarshal to un-compress .ARJ archive files.
Due to incorrect sandboxing of extracted filenames that contain directory traversal modifiers such as "../", an attacker could potentially cause an executable to be created in an arbitrary location.
While existing files cannot be overwritten, an attacker could leverage this vulnerability in a number of ways. For example, a malicious binary could be written in the "all users" startup folder.
Resolution:
To eliminate this vulnerability, upgrade to the latest version of MailMarshal SMTP or MailMarshal Exchange. This vulnerability was eliminated with a code change in the following versions:
- Trustwave MailMarshal (SEG) 2006, release 6.1.8.
- Trustwave ECM/MailMarshal Exchange, release 5.1.1.
Workarounds:
Although Trustwave believes few if any customers are still using the affected versions, the following workarounds apply:
- Create a separate disk partition (drive letter) used only for the MailMarshal unpacking folders. This solution will prevent unpacking applications from creating any files in a location outside the unpacking folders. This solution has the added benefit of improving MailMarshal performance.
- Run the MailMarshal Engine service using a Microsoft Windows account that has no rights to create files or folders outside of the MailMarshal unpacking folders. This solution requires folder security to be set correctly on all other folders on the server.
Notes:
Threat Assessment
This vulnerability represents a serious potential threat to the security of MailMarshal servers and the networks they protect.
Note: Marshal is not aware of any active attempts against MailMarshal servers, or any customer impacts from this vulnerability.
Credit
Marshal appreciates the cooperation of an Anonymous Security Researcher working with TippingPoint and the Zero Day Initiative in identifying this issue.
Marshal Product Security Contact Information
Marshal takes the security and proper functionality of its products very seriously. Please contact Trustwave Technical Support if you feel you have discovered a potential or actual security issue with a Marshal product.